Malware can be dropped through embedded objects across productivity suite.
A zero-day bug on Windows is leading hackers to exploit Microsoft PowerPoint in a bid to remotely execute malicious code.
At least two groups are abusing the so-called Sandworm vulnerability, according to the security company Symantec, with the intent of dropping the trojan Taidoor and the backdoor Darkmoon, also known as Poison Ivy, onto victims’ machines.
"The group using Taidoor is a well-established threat actor that has been in operation since at least 2008," Symantec said.
"It has a track record of exploiting recently discovered zero-day vulnerabilities in its attacks. Most recently, in March it used a Microsoft Word zero-day in attacks against government agencies and an educational institute in Taiwan."
Timestamp evidence obtained by the firm suggests that those using Darkmoon may have been abusing Sandworm before it was disclosed on October 14, although Symantec say the hackers could have created false timestamps.
The bug works by hiding malicious payloads inside Windows Object Linking and Embedding (OLE) objects, which normally allow users to insert and edit media across various Microsoft Office programs, and is a variant on a previous glitch that allowed hackers to link to external files.
Microsoft is working on a patch to be released as soon as possible, and has warned that attackers can exploit the vulnerability through email attachments or in a website based attack containing malicious Office content.
It said: "Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
"The attack requires user interaction to succeed on Windows clients with a default configuration, as User Account Control (UAC) is enabled and a consent prompt is displayed."
All supported Windows releases are affected, with the exception of Windows Server 2003.