VSTO and Malicious Office Docs

These are the voyages of a security enthusiast. Its continuing mission: to explore strange new knowledge. To seek out new ideas and new technics. To boldly go where no one has gone before!

It's not a bug, it's a feature!

What is the Visual Studio Tools for Office (VSTO)?

Any Malicious Payload can be emplaced into any office documents using VSTO. You can find detailed explanations in the below links.

Quick practice in a YouTube video:


  • More powerful than Macro and formula injection! You can write anything with C# smoothly.

  • It can update itself and .NET libraries in every execution. (OMG! It can be a self-updated dropper!)

  • EDRs can not detect in the same way as macros.


  • Disable all add-ins for office in the Group Policy (This may not be useful for large companies.)

  • Require that application add-ins are signed by Trusted Publisher in the Group Policy. (There are many bypass ways for this(^^,) )

  • I have not done it yet, but behavioral analysis can be done for this situation. Also, C# projects could be restricted with the company signature. If a subprocess of a C# project compiling and executing without a signature is observed under an office document, it can be blocked by the EDR.

  • Also, the below blog post should be read to create a prevention scenario against this kind of phishing attack.


Last updated