PowerPoint add-on used to spread malicious files, says Avanan

Avanan began seeing the attack vector in January.
Written by Jonathan Greig, Contributor

A PowerPoint add-on is being used to spread malicious files, according to the findings of security company Avanan.

Avanan's Jeremy Fuchs said the .ppam file -- which has bonus commands and custom macros -- is being used by hackers "to wrap executable files."

The company began seeing the attack vector in January, noting that the .ppam files were used to wrap executable files in a way that allows hackers to "take over the end-user's computer." Most of the attacks are coming through email. 

"In this attack, hackers are showing a generic purchase order email, a pretty standard phishing message. The file attached to the email is a .ppam file. A .ppam file is a PowerPoint add-on, which extends and adds certain capabilities. However, this file is actually wrapping a malicious process whereby the registry setting will be overwritten," Fuchs said. 

"Using .ppam files... hackers can wrap, and thus hide, malicious files. In this case, the file will overwrite the registry settings in Windows, allowing the attacker to take control over the computer, and keep itself active by persistently residing in the computer's memory."


The hackers found a way around security tools because of how infrequently the .ppam file is used. Fuchs added that the attack method could be used to spread ransomware, pointing to an incident in October where a ransomware group did use the file type during an attack. 

Aaron Turner, vice president of SaaS posture at Vectra, said the ubiquity of Microsoft's collaboration suite makes it a favorite of attackers, and the latest PowerPoint attack is the most recent example of more than 20 years of crafty Microsoft Office documents delivering exploits. 

"For organizations that rely on Exchange Online for their email, they should review their anti-malware policies configured in their Microsoft 365 Defender portal. Alternatively, if there is a high risk of attack that needs to be addressed outside of the Defender policies, specific attachment file types can be blocked in a dedicated .ppam blocking policy as an Exchange Online mail flow policy," Turner said. 

"When we run our posture assessment scan against Exchange Online, we check the configured policy and compare it to our recommendation of blocking over 100 different file types. As the result of this research, we'll be adding .ppam to our list of file extensions to block due to the relative obscurity and low use of that particular PowerPoint file extension."

Editorial standards