# VSTO and Malicious Office Docs

It's not a bug, it's a feature! 

What is the Visual Studio Tools for Office (VSTO)?

* **Visual Studio Tools for Office** (**VSTO**) is a set of development tools available in the form of a [Visual Studio](https://en.wikipedia.org/wiki/Visual_Studio) add-in (project templates) and a [runtime](https://en.wikipedia.org/wiki/Runtime_library) that allows [Microsoft Office](https://en.wikipedia.org/wiki/Microsoft_Office) [2003](https://en.wikipedia.org/wiki/Microsoft_Office_2003) and later versions of Office applications to host the [.NET Framework](https://en.wikipedia.org/wiki/.NET_Framework) [Common Language Runtime](https://en.wikipedia.org/wiki/Common_Language_Runtime) (CLR) to expose their functionality via .NET.

{% embed url="<https://en.wikipedia.org/wiki/Visual_Studio_Tools_for_Office>" %}

{% embed url="<https://visualstudio.microsoft.com/vs/features/office-tools/>" %}

{% embed url="<https://github.com/MicrosoftDocs/visualstudio-docs/blob/main/docs/vsto/visual-studio-tools-for-office-runtime-overview.md>" %}

\
\
Any Malicious Payload can be emplaced into any office documents using VSTO. You can find detailed explanations in the below links.

{% embed url="<https://medium.com/@airlockdigital/make-phishing-great-again-vsto-office-files-are-the-new-macro-nightmare-e09fcadef010>" %}

{% embed url="<https://bohops.com/2017/12/02/clickonce-twice-or-thrice-a-technique-for-social-engineering-and-untrusted-command-execution/>" %}

{% embed url="<https://bohops.com/2018/01/31/vsto-the-payload-installer-that-probably-defeats-your-application-whitelisting-rules/>" %}

Quick practice in a YouTube video:

{% embed url="<https://www.youtube.com/watch?v=YN8d06_rk94>" %}

**PS:**

* More powerful than Macro and formula injection! You can write anything with C# smoothly.&#x20;
* It can update itself and .NET libraries in every execution. (OMG! It can be a self-updated dropper!)
* EDRs can not detect in the same way as macros.

**Prevention:**

* Disable all add-ins for office in the Group Policy (This may not be useful for large companies.)

![](https://303615811-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LcAvWvRlcSk3lddJoVO%2Fuploads%2FjnY3n5H8ipHtIkIQEnXb%2Fimage.png?alt=media\&token=18bee130-11a0-4a4d-93af-d78923b2d6c6)

* Require that application add-ins are signed by Trusted Publisher in the Group Policy.  (There are many bypass ways for this(^^,) )

![](https://303615811-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LcAvWvRlcSk3lddJoVO%2Fuploads%2F8yEDnryiTJXtWLWEpAsH%2Fimage.png?alt=media\&token=c2d58c57-2538-4bb4-99c8-e260fdfb3ea2)

* I have not done it yet, but behavioral analysis can be done for this situation. Also, C# projects could be restricted with the company signature. If a subprocess of a C# project compiling and executing without a signature is observed under an office document, it can be blocked by the EDR.

* Also, the below blog post should be read to create a prevention scenario against this kind of phishing attack.

{% embed url="<https://blog.nviso.eu/2022/04/29/analyzing-vsto-office-files/>" %}

-EOF