# VSTO and Malicious Office Docs

It's not a bug, it's a feature! 

What is the Visual Studio Tools for Office (VSTO)?

* **Visual Studio Tools for Office** (**VSTO**) is a set of development tools available in the form of a [Visual Studio](https://en.wikipedia.org/wiki/Visual_Studio) add-in (project templates) and a [runtime](https://en.wikipedia.org/wiki/Runtime_library) that allows [Microsoft Office](https://en.wikipedia.org/wiki/Microsoft_Office) [2003](https://en.wikipedia.org/wiki/Microsoft_Office_2003) and later versions of Office applications to host the [.NET Framework](https://en.wikipedia.org/wiki/.NET_Framework) [Common Language Runtime](https://en.wikipedia.org/wiki/Common_Language_Runtime) (CLR) to expose their functionality via .NET.

{% embed url="<https://en.wikipedia.org/wiki/Visual_Studio_Tools_for_Office>" %}

{% embed url="<https://visualstudio.microsoft.com/vs/features/office-tools/>" %}

{% embed url="<https://github.com/MicrosoftDocs/visualstudio-docs/blob/main/docs/vsto/visual-studio-tools-for-office-runtime-overview.md>" %}

\
\
Any Malicious Payload can be emplaced into any office documents using VSTO. You can find detailed explanations in the below links.

{% embed url="<https://medium.com/@airlockdigital/make-phishing-great-again-vsto-office-files-are-the-new-macro-nightmare-e09fcadef010>" %}

{% embed url="<https://bohops.com/2017/12/02/clickonce-twice-or-thrice-a-technique-for-social-engineering-and-untrusted-command-execution/>" %}

{% embed url="<https://bohops.com/2018/01/31/vsto-the-payload-installer-that-probably-defeats-your-application-whitelisting-rules/>" %}

Quick practice in a YouTube video:

{% embed url="<https://www.youtube.com/watch?v=YN8d06_rk94>" %}

**PS:**

* More powerful than Macro and formula injection! You can write anything with C# smoothly.&#x20;
* It can update itself and .NET libraries in every execution. (OMG! It can be a self-updated dropper!)
* EDRs can not detect in the same way as macros.

**Prevention:**

* Disable all add-ins for office in the Group Policy (This may not be useful for large companies.)

![](/files/FtTpRr3PFk6RR8IC9Yra)

* Require that application add-ins are signed by Trusted Publisher in the Group Policy.  (There are many bypass ways for this(^^,) )

![](/files/HDn14QCWo4Z7nVwBMjFl)

* I have not done it yet, but behavioral analysis can be done for this situation. Also, C# projects could be restricted with the company signature. If a subprocess of a C# project compiling and executing without a signature is observed under an office document, it can be blocked by the EDR.

* Also, the below blog post should be read to create a prevention scenario against this kind of phishing attack.

{% embed url="<https://blog.nviso.eu/2022/04/29/analyzing-vsto-office-files/>" %}

-EOF


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://lookbook.cyberjungles.com/random-research-area/phishing-with-ms-office-docs/vsto-and-malicious-office-docs.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.