Where’s the macro? Malware authors are now using OLE embedding to deliver malicious files

Where’s the macro? Malware authors are now using OLE embedding to deliver malicious files

Microsoft’s Malware Protection Center is warning of a rise in attacks using boobytrapped Word documents, with malicious content embedded within using OLE:

…we’re seeing OLE-embedded objects and content surrounded by well-formatted text and images to encourage users to enable the object or content, and thus run the malicious code. So far, we’ve seen these files use malicious Visual Basic (VB) and JavaScript (JS) scripts embedded in a document.

Here are the simple rules I follow if I simply have to read a Word document that someone has sent to me:

  1. Don’t enable macros. Ever.
  2. Don’t fall for any encouragement to click or interact with any content within the document.
  3. Ideally, don’t use Word to view the document in the first place. Use a third-party viewer instead which doesn’t support daft things like OLE and macros which the vast majority of us never need.

In its blog post, Microsoft explains how to change the Registry key to disable Microsoft Office’s support for OLE, ensuring that no embedded packages can be activated regardless of how much users desperately try to click on them.

Wouldn’t it have been great if Microsoft had just kept Word as a simple word processor, rather than foisting all this risky functionality onto us in the first place?

Sign up to our free newsletter.
Security news, advice, and tips.

Update: As malware expert Vesselin Bontchev points out, Microsoft probably meant Visual Basic Script (VBS) rather than Visual Basic.

Vesselin also recommends businesses running Office harden their defences by following the advice in these articles:


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.