This is another short piece of the “Strictly Theoretical” mini series in which I put insensible historical incident management and suspicious behaviour patterns under the microscope reflecting on how the “inner” and “outer” world continuously interact with each other forming the everyday life of the production environment.

Malicious Excel Document

Quite often, users in different departments receive external emails with attachments containing client data or other information. By the time the email lands in the recipients’ email account, it has gone through different gateways, filters, virus checks, but still there can be ambiquous data in it. Adversaries can attempt to obscure malicious code by abusing how rundll32.exe loads DLL function names. This is what can happen when from an Excel or Word document when a supposedly harmless button or macro invokes a function that could start a connection back to the attacking machine.

What needs to be done

In a situation like this immediate action must be taken. First, the user must confirm through a separate channel if they have interacted with that specific document. Second, according to the responses, the machine needs to be quarantined and re-imaged, user sessions need to be forced offline with password reset.

Thanks for reading and as always, any feedback is most welcome.