Where’s the macro? Malware authors are now using OLE embedding to deliver malicious files

Where’s the macro? Malware authors are now using OLE embedding to deliver malicious files

Microsoft’s Malware Protection Center is warning of a rise in attacks using boobytrapped Word documents, with malicious content embedded within using OLE:

…we’re seeing OLE-embedded objects and content surrounded by well-formatted text and images to encourage users to enable the object or content, and thus run the malicious code. So far, we’ve seen these files use malicious Visual Basic (VB) and JavaScript (JS) scripts embedded in a document.

Here are the simple rules I follow if I simply have to read a Word document that someone has sent to me:

  1. Don’t enable macros. Ever.
  2. Don’t fall for any encouragement to click or interact with any content within the document.
  3. Ideally, don’t use Word to view the document in the first place. Use a third-party viewer instead which doesn’t support daft things like OLE and macros which the vast majority of us never need.

In its blog post, Microsoft explains how to change the Registry key to disable Microsoft Office’s support for OLE, ensuring that no embedded packages can be activated regardless of how much users desperately try to click on them.

Wouldn’t it have been great if Microsoft had just kept Word as a simple word processor, rather than foisting all this risky functionality onto us in the first place?

Sign up to our free newsletter.
Security news, advice, and tips.

Update: As malware expert Vesselin Bontchev points out, Microsoft probably meant Visual Basic Script (VBS) rather than Visual Basic.

Vesselin also recommends businesses running Office harden their defences by following the advice in these articles:

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.


Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.