Phishing.md

Phishing

---

Table of Contents

• General
  • Articles/Blogposts
  • Papers
  • Talks/Presentations
  • Writeups
  • Metrics
  • [Writeups]
  • Phishing Pretexts
  • Vishing
  • Homoglyphs/Punicode/Unicode Funniness
• Documentation
  • Dynamic Data Exchange(DDE)
  • DomainKeys Identified Mail
  • Domain Message Authentication, Reporting, and Conformance - DMARC
  • Excel File Formats
  • Extensible Stylesheet Language(XSL/XSL Transformations)
  • Excel Macros
  • Excel PowerQuery
  • Factur-X
  • Html Application (HTA)
  • MS Word Field Codes
  • MS Office File Formats
  • Object Linking and Embedding
  • Office Open XML Format
  • Office URI Schemes
  • PowerPoint Mouseover
  • Protected View
  • ScriptControl
  • Sender Policy Framework - SPF
  • Subdocument Reference
  • Transport Neutral Encapsulation Format
  • Visual Basic for Applications (VBA)
  • XLL
• Phishing Frameworks
  • All-In-Ones
  • Built for 2FA
  • Social Media
  • Specific Purpose
• Payloads
  • Delivery
  • CHM File
  • ClickOnce
  • DotNetToJScript
  • GadgetToJScript
  • HTA
  • OLE+LNK / Embedded Objects
  • PDF
  • .SettingContent-ms
  • SYLK
  • UNC
• Tools
• Microsoft Outlook/Exchange Stuff/Office 365
• Microsoft Office
  • General
  • DDE
  • DLL
  • Embeds
  • Exploits
  • Excel
  • Excel+DDE+PowerQuery
  • Field Codes
  • InfoPath
  • LoL
  • Macros
    • 101
    • Articles/Blogposts/Writeups
    • Activex
    • Execution
    • Evasion
    • Excel Specific / 4.0 Macros
    • Keying
    • macOS Specific
    • Remote Template Injection
    • VBA Stomping
    • Tools
  • OLE
  • Online Video in MS Word -PowerPoint MouseOver
  • Protected View
  • subdDoc
  • Temporary File Drop
  • Word Fields
• OpenOffice/LibreOffice
• Setting up a Server
• Local Phishing

---

To Do: * Other payload types * File smuggling * Wifi * Unicode * RTF * OpenOffice stuff

---

General

• General
  • Phishing - wikipedia:
    • Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.
  • Phishing with Maldocs
  • Post exploitation trick - Phish users for creds on domains, from their own box
  • iOS Privacy: steal.password - Easily get the user's Apple ID password, just by asking
  • Phishing for Funds: Understanding Business Email Compromise - Keith Turpin - BH Asia2017
    • Business Email Compromise (aka CEO fraud) is a rapidly expanding cybercrime in which reported cases jumped 1300% from 2015 to 2016. This financial fraud scheme can target any market segment or organization regardless of size. Thousands of organizations from more than 100 countries have reported losses. The reasons for this surge is simple - it makes money.
    • Slides
  • Red Team Techniques: Gaining access on an external engagement through spear-phishing - Josh Kamdjou(2019)
  • Blocking Spam and Phishing on a Budget - ?(2019)
• Articles/Blogposts
  • Best Time to send email
  • Top 10 Email Subjects for Company Phishing Attacks
  • Some Tips for Legitimate Senders to Avoid False Positives - Apache SpamAssassin
  • Email Delivery: What Pen Testers Should Know - cs(2013)
  • What are the go-to phishing technique or exploit? - cs(2014)
  • Introduction: Bypassing Email Security - Hector Monsegur
  • Phishing, Lateral Movement, SCADA, OH MY!
  • Phishing with Empire - Enigma0x3
  • Phishing for Access - rvrsh3ll's blog
  • Cross-Site Phishing
  • Email Notification on shell connectback MSF Plugin
    • Code
  • How to Bypass Safe Link/Attachment Processing of ATP - support.knowbe4.com
  • These Aren't the Phish You're Looking For - Curtiz Brazzell(2020)
    • "My research took me down a long but enjoyable adventure over the last month and I learned a great deal about how sites end up on blacklists, who shares information behind the scenes, and ultimately, how to completely bypass ending up on a blacklist altogether."
  • Phishing Against Bromium - Steve Borosh(2017)
  • Lessons learned on written social engineering attacks - DiabloHorn(2020)
  • Phishing Sites with Netlify - HunnicCyber
  • Quick exploration of the use of .chm and .hta files in APT phishing campaigns - jh904(2020)
  • What are email reply-chain attacks & How can you stay safe?
  • The totally legitimate guide to spearphishing and whaling - Andrew Long(2020)
  • Hiding in Plain Sight - Obfuscation Techniques in Phishing Attacks - ProofPoint
  • Code Obfuscation 10**2+(2*a+3)%2 - Gaetan Ferry(JSecIn 2018)
  • Spear-phishing campaign tricks users to transfer money (TTPs & IOC) - readteam.pl(2020)
  • An Approach to Bypassing Mail Filters - Will Pearce(2018)
  • Low-tech EDR bypass - dumpco.re(2020)
    • "TL;DR: I designed a piece of super simple malware/implant that evaded everything that I threw against it."
  • Abusing 3rd Party Service Providers
    • Abusing Misconfigured Cloud Email Providers for Enhanced Phishing Campaigns - und3rf10w.blogspot
    • Next Gen Phishing - Leveraging Azure Information Protection - Oddvar Moe
      • In this blog post, I will go over how to use Azure Information Protection (AIP) to improve phishing campaigns from the perspective of an attacker. The idea came during an engagement where I was having trouble getting phishing emails into users’ inboxes without being caught by a sandbox on the way. During this engagement, it struck me like a bolt of lightning that I could use AIP (also known as Rights Management Service) to protect the attachments and even the email so that only the designated recipient could open it. That way, it would not matter if the sandbox got the file since it will not be possible for it to read the contents.
    • Using SharePoint as a Phishing Platform - David Cash(2020)
  • Campaign Writeups
    • Guccifer Rising? Months-Long Phishing Campaign on ProtonMail Targets Dozens of Russia-Focused Journalists and NGOs - Bellingcat
• Papers
  • Tab Napping - Phishing
  • Skeleton in the closet. MS Office vulnerability you didn’t know about
    • Microsoft Equation Editor Exploit writeup
  • MetaPhish Paper
  • MetaPhish - Defcon17
• Talks & Presentations
  • Phishing for Funds: Understanding Business Email Compromise - Keith Turpin - BHA17
    • Business Email Compromise (aka CEO fraud) is a rapidly expanding cybercrime in which reported cases jumped 1300% from 2015 to 2016. This financial fraud scheme can target any market segment or organization regardless of size. Thousands of organizations from more than 100 countries have reported losses. The reasons for this surge is simple - it makes money.
  • Casting with the Pros Tips and Tricks - Nathan Sweaney(DEFCON27 RedTeam Village)
    • Slides
    • Phishing seems easy enough, but getting successful results can be difficult. In this talk we'll walk through practical tips for getting better responses. We'll talk about target selection, ruse development, technology deployment, and suggestions for working with clients to maximize the value of the assessment.
  • Hacking Corporate Email Systems - Nate Power(BSides Columbus 2016)
  • Purple Haze: The SpearPhishing Experience - Jesse Nebling(Toorcon21)
  • Three Years of Phishing - What We've Learned - Mike Morabito
    • Cardinal Health has been aggressively testing and training users to recognize and avoid phishing emails. This presentation covers 3 years of lessons learned from over 18,000 employees tested, 150,000 individual phishes sent, 5 complaints, thousands of positive comments, and a dozen happy executives. Learn from actual phishing templates what works well, doesn,t work at all, and why? See efficient templates for education and reporting results.
  • Ichthyology: Phishing as a Science - BH USA 2017
  • Modern Evasion Techniques Jason Lang - Derbycon7
    • As pentesters, we are often in need of working around security controls. In this talk, we will reveal ways that we bypass in-line network defenses, spam filters (in line and cloud based), as well as current endpoint solutions. Some techniques are old, some are new, but all work in helping to get a foothold established. Defenders: might want to come to this one.
  • Phishing Like The Pros - Luis Santana - Derbycon 2013
    • This talk will discuss phishing techniques used by professionals during phishing campaigns and introduce PhishPoll, a PHP-based phishing framework for creating, managing, and tracking phishing campaigns.
  • MetaPhish - Valsmith, Colin Ames, and David Kerb - DEF CON 17
  • Phishing for Funds: Understanding Business Email Compromise - Keith Turpin - BH Asia2017
    • Business Email Compromise (aka CEO fraud) is a rapidly expanding cybercrime in which reported cases jumped 1300% from 2015 to 2016. This financial fraud scheme can target any market segment or organization regardless of size. Thousands of organizations from more than 100 countries have reported losses. The reasons for this surge is simple - it makes money.
  • Defeating The Latest Advances in Script Obfuscation - Mark Mager(Derbycon2016)
    • This talk will cover some of the most recently seen advanced obfuscation techniques employed by APTs, exploit kits, and other malware authors along with proven methods for circumventing and decoding these techniques. I will then apply these methods to guide the audience through the deobfuscation of a fully obfuscated script. Audience members will walk away with a solid understanding of how common obfuscation techniques are employed in scripting languages along with how they can be defeated.
  • Phishing 2020 – Part 1 - hacktheplanet.io
    • Part 2
    • Part 3
  • You've Got Pwned: Exploiting E-Mail Systems by @securinti #NahamCon2020
• Writeups
  • How do I phish? Advanced Email Phishing Tactics - Pentest Geek
  • Real World Phishing Techniques - Honeynet Project
  • Phishing with Maldocs - n00py
  • Tabnabbing - An art of phishing - securelayer7
  • Add-In Opportunities for Office Persistence
    • This post will explore various opportunities for gaining persistence through native Microsoft Office functionality. It was inspired by Kostas Lintovois's similar work which identified ways to persist in transient Virtual Desktop Infrastructure (VDI) environments through adding a VBA backdoor to Office template files
  • One Template To Rule 'Em All
    • This presentation discussed how Office security settings and templates can be abused to gain persistence in VDI implementations where traditional techniques relying on the file system or the Registry are not applicable. Additionally, it was described how the introduction of application control and anti-exploitation technologies may affect code execution in locked down environments and how these controls can be circumvented through the use of VBA.
  • Spear Phishing 101 - inspired-sec.com
  • There is a shell in your lunch-box by Rotimi Akinyele
  • Advanced USB key phishing: Bypass airgap, drop, pwn using macro_pack - Emeric Nasi
  • Red Team Attack Operation RT-011 - Phishing - Fake Laptop Upgrade - Gitlab(2020)
  • Phish or Fox? A Penetration Testing Case Study From IBM X-Force Red - Dimitry Snezhkov
• Phishing Metrics
  • Articles/Blogposts
    • Internal Phishing Exercise Difficulty Scoring Tool - Cedric Owens(2018)
    • Introducing the Phishing Difficulty Calculator: How Hard Are Your Phishing Tests? - Masha Sedova(2018)
    • 37+ Stunningly Scary Phishing Statistics – An Ever-Growing Threat - hostingtribunal.com(2020)
  • Talks & Presentations
  • Tools
    • PhishDifficultyScorer
      • python3 script that rates the difficulty of a given phishing exercise.
• Phishing Pre-texts
  • Articles/Blogposts
    • This Phish Uses DocuSign to Slip Past Symantec Gateway and Target Email Credentials - Tej Tulachan(2019)
    • 9 Things I’ve Learned Writing Phishing Emails - Craig Hays(2019)
  • Talks & Presentations
    • Phishy Little Liars - Pretexts That Kill (Alethe Denis(BSidesSF2020)
      • The 'IT Guy' is the Nigerian Prince of Pretexts. As bad actors begin to use more specialized pretexts, so too should Pentesters use more specialized, custom pretexts during assessments. Learn to make custom pretexts that fly under the radar and won’t raise any red flags using target specific data.
    • Phishing Pretexts
      • A library of pretexts to use on offensive phishing engagements. Orginially presented at Layer8 by @L4bF0x and @RizzyRong.
      • Video Presentation
      • Slides
  • Tools
    • RealBusinessmen
      • All Business, All the Time.
• Vishing
  • Articles/Blogposts
  • Talks & Presentations
    • Vishing, Not just for Extroverts! - James Morris(BSidesAugust2019)
  • Tools
• Other
  • EmailAddressMangler
    • This module mangles two lists of names together to generate a list of potential email addresses or usernames. It can also be used to simply combine a list of full names in the format (firstname lastname) into either email addresses or usernames.
• Homoglyphs/Punicode/Unicode
  • 101
    • IDN homograph attack - Wikipedia
      • "The internationalized domain name (IDN) homograph attack is a way a malicious party may deceive computer users about what remote system they are communicating with, by exploiting the fact that many different characters look alike (i.e., they are homographs, hence the term for the attack, although technically homoglyph is the more accurate term for different characters that look alike). For example, a regular user of example.com may be lured to click a link where the Latin character "a" is replaced with the Cyrillic character "а"."
  • Articles/Blogposts
    • [Olc: Ruin someone’s day with homoglyphs - Teamwork Engineering]](https://engineroom.teamwork.com/olc-ruin-someones-day-with-homoglyphs-b14e9a1a05a4?gi=81bb0f02b356)
    • Out of Character: Use of Punycode and Homoglyph Attacks to Obfuscate URLs for Phishing - Adrian Crenshaw()
    • Domain hacks with unusual Unicode characters - @edent(2018)
    • É¢oogle.news is not google.news: POC For Google Phishing with SSL - Avi Lumelsky(2020)
    • Out of character: Homograph attacks explained - Jovi Umawing(2018)
    • Emoji to Zero-Day: Latin Homoglyphs in Domains and Subdomains - Matt Hamilton(2020)
    • Homoglyph attack prevention with OCR. - Aaron (Ari) Bornstein(2019)
  • Tools
    • Homoglyph Attack Generator - Adrian Crenshaw
    • homoglyph
      • A big list of homoglyphs and some code to detect them
    • olc
      • Ruins days by replacing characters in files with a homograph / homoglyph (like substituting semi-colons with the Greek question mark). "Olc" is the Irish word for "bad".

---

Documentation

• BetterSolutions.com - Microsoft Office Expertise and Automation for End Users
• Dynamic Data Exchange(DDE)
  • About Dynamic Data Exchange - docs.ms
  • Dynamic Data Exchange - docs.ms
    • This section provides guidelines for implementing dynamic data exchange for applications that cannot use the Dynamic Data Exchange Management Library (DDEML).
  • Dynamic Data Exchange - docs.ms
    • This section provides guidelines for implementing dynamic data exchange for applications that cannot use the Dynamic Data Exchange Management Library (DDEML).
• DomainKeys Identified Mail
  • DomainKeys Identified Mail - Wikipedia
• Domain Message Authentication, Reporting, and Conformance - DMARC
  • DMARC - Wikipedia
  • Domain-based Message Authentication, Reporting, and Conformance (DMARC) - RFC7489
• Excel File Formats
  • Microsoft Office EXCEL97-2007BINARY File Format Specification[*.xls (97-2007) format]
  • Insert an object in your Excel spreadsheet - support.office
• Extensible Stylesheet Language(XSL/XSL Transformations)
  • What Is XSLT - G. Ken Holman(2000)
  • Hello, World! (XSLT) - docs.ms
    • The following example shows a simple but complete XML document transformed by an XSLT style sheet. The source XML document, hello.xml, contains a "Hello, World!" greeting from "An XSLT Programmer".
  • XSLT Stylesheet Scripting Using <msxsl:script> - docs.ms
  • Stylesheet (XSL) web resources - docs.ms
  • XSLT for MSXML - docs.ms
• Excel Macros
  • Application.ExecuteExcel4Macro method (Excel) - docs.ms(2019)
  • Excel 4.0 Macro Functions Reference - Philip Treacy
• Excel PowerQuery
  • Introduction to Microsoft Power Query for Excel - support.ms
  • Power Query - Overview and Learning - support.ms
• Factur-X
  • Factur-X
    • Factur-X is a Franco-German standard for hybrid e-invoice (PDF for users and XML data for process automation), the first implementation of the European Semantic Standard EN 16931 published by the European Commission on October 16th 2017. Factur-X is the same standard than ZUGFeRD 2.0.
    • Factur-X is at the same time a full readable invoice in a PDF A/3 format, containing all information useful for its treatment, especially in case of discrepancy or absence of automatic matching with orders and / or receptions, and a set of invoice data presented in an XML structured file conformant to EN16931 (syntax CII D16B), complete or not, allowing invoice process automation.
  • Factur-X Python library - github
    • Factur-X is a EU standard for embedding XML representations of invoices in PDF files. This library provides an interface for reading, editing and saving the this metadata.
• MS Word Field Codes
  • Insert, edit, and view fields in Word - support.ms
    • Fields codes are useful as placeholders for data that might change in your document, and you can use them to automate certain aspects of your document. Field codes are inserted for you when you use Word features like page numbers or a table of contents, but you can insert field codes manually for other tasks like performing calculations or filling in document content from a data source.
  • List of field codes in Word - support.ms
• MS Office File Formats
  • File format reference for Word, Excel, and PowerPoint - docs.ms(2020)
    • Supported file formats and their extensions are listed in the following tables for Word, Excel, and PowerPoint.
  • [MS-CFB]: Compound File Binary File Format - docs.ms(2020)
  • OpenOffice.org's Documentation of theMicrosoft Compound Document File Format - Daniel Rentz
  • MS-OSHARED: Office Common Data Types and Objects Structures. Includes property sets that can store document-level properties (metadata).
  • MS-OLEPS: Object Linking and Embedding (OLE) Property Set Data Structures. Property sets in XLS documents are stored as OLE items.
  • MS-OFFCRYPTO: Office Document Cryptography Structure (latest version).
  • [MS-XLS]: Excel Binary File Format (.xls) Structure - docs.ms
    • Specifies the Excel Binary File Format (.xls) Structure, which is the binary file format used by Microsoft Excel 97, Microsoft Excel 2000, Microsoft Excel 2002, and Microsoft Office Excel 2003.
  • MICROSOFT OFFICE EXCEL97-2007BINARY FILE FORMAT SPECIFICATION[*.xls (97-2007) format]
  • About the .xls binary format - gaia-gis.it
  • [MS-XLSX]: Excel (.xlsx) Extensions to the Office Open XML SpreadsheetML File Format - docs.ms(2020)
    • Specifies the Excel (.xlsx) Extensions to the Office Open XML SpreadsheetML File Format, which are extensions to the Office Open XML file formats as described in [ISO/IEC-29500-1]. The extensions are specified using conventions provided by the Office Open XML file formats as described in [ISO/IEC-29500-3].
  • OpenOffice.org's Documentation of the Microsoft Excel File Format - Daniel Rentz
  • Office VBA Reference - docs.ms(2019)
    • Office Visual Basic for Applications (VBA) is an event-driven programming language that enables you to extend Office applications.
• HTA
  • 101
    • HTML Application - Wikipedia
    • HTML Applications - docs.ms(2013)
      • HTML Applications (HTAs) are full-fledged applications. These applications are trusted and display only the menus, icons, toolbars, and title information that the Web developer creates. In short, HTAs pack all the power of Windows Internet Explorer—its object model, performance, rendering power, protocol support, and channel–download technology—without enforcing the strict security model and user interface of the browser. HTAs can be created using the HTML and Dynamic HTML (DHTML) that you already know.
    • Learn About Scripting for HTML Applications (HTAs) - technet.ms
  • Introduction to HTML Applications (HTAs) - docs.ms(2013)
  • HTML Applications Reference - docs.ms(2013)
  • Articles/Blogposts/Writeups
    • Extreme Makeover: Wrap Your Scripts Up in a GUI Interface - technet.ms
• Object Linking and Embedding
  • Object Linking and Embedding - Wikipedia
  • OLE - msdn.ms
  • OLE Background - docs.ms
  • [MS-OLEDS]: Object Linking and Embedding (OLE) Data Structures - msdn.ms
  • Insert an object in your Excel spreadsheet - support.office
• Office Open XML Format
  • Introducing the Office (2007) Open XML File Formats - docs.ms
• Office URI Schemes
  • Office URI Schemes - docs.ms
    • This document defines the format of Uniform Resource Identifiers (URIs) for office productivity applications. The scheme is supported in Microsoft Office 2010 Service Pack 2 and later, including the Microsoft Office 2013 for Windows and the Microsoft SharePoint 2013 products. It is also supported in Office for iPhone, Office for iPad, and Office for Mac 2011.
• Protected View
  • What is Protected View? - support.office.com
• ScriptControl
  • Using ScriptControl Methods - docs.ms
    • The ScriptControl contains methods to execute code, add code and objects to the scripting engine, and reset the scripting engine to its initial state.
• Sender Policy Framework - SPF
  • Sender Policy Framework - Wikipedia
• SMTP Strict Transport Security
  • SMTP Strict Transport Security
• Subdocument Reference
  • SubDocumentReference class - msdn.ms
• Transport Neutral Encapsulation Format
  • Transport Neutral Encapsulation Format - Wikipedia
• Visual Basic for Applications (VBA)
  • [MS-OVBA]: Office VBA File Format Structure - msdn.ms
    • Specifies the Office VBA File Format Structure, which describes the Microsoft Visual Basic for Applications (VBA) File Format for Microsoft Office 97, Microsoft Office 2000, Microsoft Office XP, Microsoft Office 2003, and the 2007 Microsoft Office system. This specification also describes a storage that contains a VBA project, which contains embedded macros and custom forms for use in Office documents.
  • [MS-VBAL]: VBA Language Specification
    • Specifies the VBA Language, which defines the implementation-independent and operating system-independent programming language that is required to be supported by all conforming VBA implementations. This specification also defines all features and behaviors of the language that are required to exist and behave identically in all conforming implementations.
• Visual Basic Script
  • Using Visual Basic Scripting Edition - docs.ms(2019)
  • VBScript Fundamentals - rhino3d.com
  • VBScript - Wikipedia
  • What is VBScript? Introduction & Examples - Guru99
  • What Is VBScript, and Why Did Microsoft Just Kill It? - Chris Hoffman(2019)
    • VBScript no longer supported in IE by default.
  • Rob van der Woude's VBScript Scripting Techniques
• XLL
  • Welcome to the Excel Software Development Kit - msdn.ms
  • Accessing XLL code in Excel - docs.ms
• General
  • SPF, DKIM, and DMARC Demystified - McAfee
  • Add commands to your presentation with action buttons
    • Add commands to your presentation with action buttons
  • Variable Object (Word) - msdn.ms
  • Using ScriptControl Methods - docs.ms
    • The ScriptControl contains methods to execute code, add code and objects to the scripting engine, and reset the scripting engine to its initial state.
  • VBA ScriptControl to run Java Script Function
  • CallByName Function - msdn.ms
    • Executes a method of an object, or sets or returns a property of an object. SyntaxCallByName( object, procname, calltype,[args()])

---

Phishing Frameworks:

• All-in-Ones
  • Phishing Frenzy
    • Phishing Frenzy is an Open Source Ruby on Rails application that is leveraged by penetration testers to manage email phishing campaigns. The goal of the project is to streamline the phishing process while still providing clients the best realistic phishing campaign possible. This goal is obtainable through campaign management, template reuse, statistical generation, and other features the Frenzy has to offer.
  • sptoolkit
    • Simple Phishing Toolkit is a super easy to install and use phishing framework built to help Information Security professionals find human vulnerabilities
  • sptoolkit-rebirth
    • sptoolkit hasn't been actively developed for two years. As it stands, it's a brilliant peice of software, and the original developers are pretty damn awesome for creating it. But we'd like to go further, and bring sptoolkit up to date. We've tried contacting the developers, but to no avail. We're taking matters into our own hands now.
  • KingPhisher
    • King Phisher is a tool for testing and promoting user awareness by simulating real world phishing attacks. It features an easy to use, yet very flexible architecture allowing full control over both emails and server content. King Phisher can be used to run campaigns ranging from simple awareness training to more complicated scenarios in which user aware content is served for harvesting credentials.
  • Gophish
    • Gophish is an open-source phishing toolkit designed for businesses and penetration testers. It provides the ability to quickly and easily setup and execute phishing engagements and security awareness training.
    • gophish documentation
  • FiercePhish
    • FiercePhish is a full-fledged phishing framework to manage all phishing engagements. It allows you to track separate phishing campaigns, schedule sending of emails, and much more
  • Mercure
    • Mercure is a tool for security managers who want to teach their colleagues about phishing.
  • Cartero
    • Cartero is a modular project divided into commands that perform independent tasks (i.e. Mailer, Cloner, Listener, AdminConsole, etc...). In addition each sub-command has repeatable configuration options to configure and automate your work.
  • King Phisher
    • King Phisher is a tool for testing and promoting user awareness by simulating real world phishing attacks. It features an easy to use, yet very flexible architecture allowing full control over both emails and server content. King Phisher can be used to run campaigns ranging from simple awareness training to more complicated scenarios in which user aware content is served for harvesting credentials.
  • SpeedPhish Framework
    • SPF (SpeedPhish Framework) is a python tool designed to allow for quick recon and deployment of simple social engineering phishing exercises.
  • Phishing-API
    • This API has three main features. One allows you to easily deploy cloned landing pages for credential stealing, another is weaponized Word doc creation, and the third is saved email campaign templates. Both attack methods are integrated into Slack for real-time alerting.
• Built for 2FA
  • CredSniper
    • CredSniper is a phishing framework written with the Python micro-framework Flask and Jinja2 templating which supports capturing 2FA tokens. Easily launch a new phishing site fully presented with SSL and capture credentials along with 2FA tokens using CredSniper. The API provides secure access to the currently captured credentials which can be consumed by other applications using a randomly generated API token.
  • ReelPhish
    • ReelPhish: A Real-Time Two-Factor Phishing Tool
  • evilginx2
    • evilginx2 is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, which in turn allows to bypass 2-factor authentication protection.
  • modlishka
    • Modlishka is a powerful and flexible HTTP reverse proxy. It implements an entirely new and interesting approach of handling browser-based HTTP traffic flow, which allows to transparently proxy multi-domain destination traffic, both TLS and non-TLS, over a single domain, without a requirement of installing any additional certificate on the client. What does this exactly mean? In short, it simply has a lot of potential, that can be used in many use case scenarios...
• One-Off
• Social Media
  • ShellPhish
    • Phishing Tool for Instagram, Facebook, Twitter, Snapchat, Github, Yahoo, Protonmail, Google, Spotify, Netflix, Linkedin, Wordpress, Origin, Steam, Microsoft, InstaFollowers, Pinterest
  • social_attacker
    • An Open Source Multi Site Automated Social Media Phishing Framework
  • SocialFish
    • Easy phishing using social media sites
• Specific Purpose
  • Ares
    • Phishing toolkit for red teams and pentesters. Ares allows security testers to create a landing page easily, embedded within the original site. Ares acts as a proxy between the phised and original site, and allows (realtime) modifications and injects. All references to the original site are being rewritten to the new site. Users will use the site like they'll normally do, but every step will be recorded of influenced. Ares will work perfect with dns poisoning as well.
  • FormPhish
    • Auto Phishing form-based websites. This tool can automatically detect inputs on html form-based websites to create a phishing page.
  • LockPhish
    • Lockphish is a tool for phishing attacks on the lock screen, designed to grab Windows credentials, Android PIN and iPhone Passcode
  • otu-plz
    • otu-plz is an open-source phishing campaign toolkit that makes setting up phishing infrastructure, sending emails with one-time use tokens, and evading blue teams a breeze. It also stores all information within a database to keep track of clicks and other data.
  • WifiPhisher
    • Wifiphisher is a rogue Access Point framework for conducting red team engagements or Wi-Fi security testing. Using Wifiphisher, penetration testers can easily achieve a man-in-the-middle position against wireless clients by performing targeted Wi-Fi association attacks. Wifiphisher can be further used to mount victim-customized web phishing attacks against the connected clients in order to capture credentials (e.g. from third party login pages or WPA/WPA2 Pre-Shared Keys) or infect the victim stations with malwares.
  • pompa
    • Fully-featured spear-phishing toolkit - sample docker setup (Linux-compatible)
• Templates
  • SimplyTemplate
    • Phishing Template Generation Made Easy. The goal of this project was to hopefully speed up Phishing Template Gen as well as an easy way to ensure accuracy of your templates. Currently my standard Method of delivering emails is the Spear Phish in Cobalt strike so you will see proper settings for that by defaul
  • TackleBox
    • A phishing toolkit for generating and sending phishing emails.

---

Payloads

• Delivery
  • File smuggling
    • Articles/Blogposts/Writeups
      • Generic bypass of next-gen intrusion / threat / breach detection systems - Zoltan Balazs(2015)
      • HTML smuggling explained - Stan Hegt(2018)
      • Smuggling HTA files in Internet Explorer/Edge - Richard Warren(2017)
      • File Smuggling with HTML and JavaScript - @spottheplanet
      • Strange Bits: HTML Smuggling and GitHub Hosted Malware - Karsten Hahn(2019)
    • Tools
      • IronSquirrel
        • https://github.com/MRGEffitas/Ironsquirrel
      • EmbedInHTML
        • What this tool does is taking a file (any type of file), encrypt it, and embed it into an HTML file as resource, along with an automatic download routine simulating a user clicking on the embedded ressource. Then, when the user browses the HTML file, the embedded file is decrypted on the fly, saved in a temporary folder, and the file is then presented to the user as if it was being downloaded from the remote site. Depending on the user's browser and the file type presented, the file can be automatically opened by the browser.
• CHM File
  • 101
    • Microsoft Compiled HTML Help - Wikipedia
    • Unofficial (Preliminary) HTML Help Specification - Paul Wise, Jed Wing(nongnu.org)
  • Articles/Blogposts/Writeups
    • Microsoft Compiled HTML Help / Uncompiled .chm File XML External Entity Injection - hyp3rlinx(2019)
      • Microsoft compiled HTML Help and uncompiled .chm files can be leveraged for XML external entity injection attacks.
  • Talks/Presentations/Videos
  • Tools
    • List of CHM readers and viewers for Window - blog.kowalczyk
• ClickOnce
  • 101
    • Demystifying ClickOnce - ericlaw(2019)
    • ClickOnce security and deployment - docs.ms
    • "ClickOnce is a deployment technology that enables you to create self-updating Windows-based applications that can be installed and run with minimal user interaction. Visual Studio provides full support for publishing and updating applications deployed with ClickOnce technology if you have developed your projects with Visual Basic and Visual C#. "
    • What is an APPREF-MS file? - fileinfo.com
      • Application reference file used by ClickOnce, a Microsoft platform used to deploy and run remote Web applications; contains a local or remote link to an application; commonly used to enable links from the Windows Start Menu.
  • Articles/Blogposts/Writeups
    • List Of ClickOnce Articles - @robindotnet
    • ClickOnce (Twice or Thrice): A Technique for Social Engineering and (Un)trusted Command Execution - bohops
    • ClickOnce Security and Deployment - docs.ms
    • ClickOnce application suddenly blocked by AppLocker Group Policy - tech.xenit
    • publishing-clickonce-applications.md - MS Visual Studio Docs
    • ClickOnce deployment for Add-in Express solutions
    • Continuously Deploy Your ClickOnce Application From Your Build Server - Daniel Schroeder(2017)
    • ClickOnce (Twice or Thrice): A Technique for Social Engineering and (Un)trusted Command Execution - BOHOPS(2017)
    • How to sign a ClickOnce application - StackOverflow(2012)
  • Talks/Presentations/Videos
    • All You Need is One - A ClickOnce Love Story - Ryan Gandrud, Cody Wass(Secure360 2015)
    • ClickOnce and You're in - When Appref-ms Abuse is Operating as Intended - William Burke(BHUSA2019)
      • Slides
      • As tried-and-true methods of code execution via phishing are getting phased out, new research was required to maintain that avenue of gaining initial access. Sifting through different file types and how they operate led to further examination of the ".Appref-ms" extension, utilized by Microsoft's ClickOnce. This research led down a long and winding road, not only resulting in some new updates to be applied to our phishing methodology but an innovative method for C2 management as well - all while staying within the means of how appref-ms is intended to be used. Follow us down the rabbit hole as we delve into what an .appref-ms file is, how it operates, and some of the methods discovered that can be leveraged to deploy our own nefarious purposes. We will also provide insight on what this execution looks like from the user's perspective, and additional steps that can be taken throughout deployment to further mask and enhance these malicious capabilities. To play our own devil's advocate, we will also cover potential indicators of compromise that result from appref-ms abuse in addition to some preemptive measures that can be deployed to protect against it. Appref-ms abuse has the potential to be a great addition to any security tester's toolkit. It runs natively on Windows 10 and 7, blends in with normal operations, and is an easily adaptable method of code delivery and execution. It's up to you to determine how to use it.
  • Tools
    • ClickOnceGenerator
      • Quick Malicious ClickOnceGenerator for Red Team. The default application a simple WebBrowser widget that point to a website of your choice.
• DotNetToJScript
  • Articles/Blogposts/Writeups
    • DotNetToJScript
      • A tool to create a JScript file which loads a .NET v2 assembly from memory.
    • Disabling AMSI in JScript with One Simple Trick - James Forshaw(2018)
    • CSharp, DotNetToJScript, XSL - Rastamouse(2018)
    • Executing C# Assemblies from Jscript and wscript with DotNetToJscript - @spottheplanet
    • Advanced TTPs – DotNetToJScript (Part 1) - Jerry Odegaard(2020)
      • "We’ve covered the basics on what DotNetToJScript is, and why you should still care about it. We’ve also seen that it’s pretty easy to get DotNetToJScript downloaded, built and tested. In the next blog on this topic we’ll modify the UnmanagedPowerShell project’s PowerShellRunner to use with DotNetToJScript. Stay tuned!"
    • Part 2
      • "We’ve made some progress in weaponizing a DotNetToJScript payload. We repurposed the PowerShellRunner component from the UnmanagedPowerShell project to execute PowerShell commands directly from client-side JavaScript. Our payload completely avoids sophisticated PowerShell logging in environments that still have .NET 2.0 installed, which in our experience is most environments. In the next blog, we’ll take a look at further weaponizing DotNetToJScript by manually building a malicious document (maldoc) to execute our payload!"
    • Part 3
• GadgetToJScript
  • 101
    • GadgetToJScript
      • A tool for generating .NET serialized gadgets that can trigger .NET assembly load/execution when deserialized using BinaryFormatter from JS/VBS/VBA based scripts.
    • GadgetToJScript, Covenant, Donut - 3xpl01tc0d3r(2020)
  • Tools
• HTA
  • Articles/Blogposts/Writeups
    • HTA Tips - 599cd.com
    • Rob van der Woude's VBScript Scripting Techniques: HTA
    • Hacking around HTA Files
    • LethalHTA - A new lateral movement technique using DCOM and HTA - codewhitesec
    • MSHTA code execution - bypass application whitelisting. - @spottheplanet
    • Bypass Application Whitelisting using mshta.exe (Multiple Methods) - Raj Chandel
    • Pentesting and .hta (bypass PowerShell Constrained Language Mode) - Josh Graham(2018)
    • pentesting .hta files
    • Malicious HTAs - trustedsec
    • Analysis of an Interesting Malicious HTA File - Amir Niakanlahiji
  • Tools
    • WeirdHTA
      • A python tool to create obfuscated HTA script.
    • Demiguise
      • The aim of this project is to generate .html files that contain an encrypted HTA file. The idea is that when your target visits the page, the key is fetched and the HTA is decrypted dynamically within the browser and pushed directly to the user.
    • morphHTA - Morphing Cobalt Strike's evil.HTA
    • LethalHTA
      • "Repo for our Lateral Movement technique using DCOM and HTA."
• OLE+LNK / Embedded Objects
  • Click me if you can, Office social engineering with embedded objects - Yorick Koster(2018)
  • Phishing: Embedded HTML Forms - @spottheplanet
  • Phishing: OLE + LNK - @spottheplanet
  • Phishing: Embedded Internet Explorer - @spottheplanet
• PDF
  • Articles/Blogposts/Writeups
    • PDF – NTLM Hashes - pentestlab.blog
  • Tools
    • JS2PDFInjector
      • Use this tool to Inject a JavaScript file into a PDF file.
    • Bad-PDF
      • Bad-PDF create malicious PDF file to steal NTLM(NTLMv1/NTLMv2) Hashes from windows machines, it utilize vulnerability disclosed by checkpoint team to create the malicious PDF file. Bad-Pdf reads the NTLM hashes using Responder listener.
    • Worse-PDF
      • Turn a normal PDF file into malicious.Use to steal Net-NTLM Hashes from windows machines.
    • pdf2xdp.rb
      • This script converts a PDF file to an equivalent XML Data Package file, which can be opened by Adobe Reader as well and typically escapes AV detection better than a "normal" PDF
    • peepdf
      • peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks. With peepdf it's possible to see all the objects in the document showing the suspicious elements, supports all the most used filters and encodings, it can parse different versions of a file, object streams and encrypted files. With the installation of PyV8 and Pylibemu it provides Javascript and shellcode analysis wrappers too. Apart of this it's able to create new PDF files and to modify/obfuscate existent ones.
• .SettingContent-ms
  • 101
    • The Tale of SettingContent-ms Files - Matt Nelson(2018)
  • Articles/Blogposts/Writeups
    • Defending Against SettingContent-MS being used in MS Office and PDF Files - Taeil Goh
    • TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT - ProofPoint
    • Analysis - .SettingContent-ms Exploit -
    • Microsoft Blocks Embedding SettingContent-ms Files in Office 365 Docs -
    • SettingContent-ms can be Abused to Drop Complex DeepLink and Icon-based Payload - Michael Villanueva
    • Weaponizing .SettingContent-ms Extensions for Code Execution - David Kennedy(2018)
  • Tools
    • auto_SettingContent-ms
      • This is a quick POC for using the Matt Nelson (enigma0x3) technique for generating a malicious .SettingContent-ms extension type for remote code execution. This automates generating an HTA downloader and embeds it in the SettingContent-ms file for you and starts Apache.
    • SettingContent-MS-File-Execution
      • SettingContent-MS File Execution vulnerability in Windows 10 PoC
• Symbolic Link(Sylk) Files
  • SYmbolic Link - Wikipedia
  • sylksum.doc
  • Sylk + XLM = Code execution on Office 2011 for Mac - Pieter Ceelen(2018)
  • Abusing the SYLK file format - Stan Hegt(2019)
  • Abusing XLM Macros in SYLK Files - Patrick Wardle(2019)
  • Phishing: .SLK Excel - @spottheplanet
• UNC
  • Articles/Blogposts/Writeups
  • Tools

---

Tools

• Cloning
  • Cooper
    • Cooper simplifies the process of cloning a target website or email for use in a phishing campaign. Just find a URL or download the raw contents of an email you want to use and feed it to Cooper. Cooper will clone the content and then automatically prepare it for use in your campaign. Scripts, images, and CSS can be modified to use direct links instead of relative links, links are changed to point to your phishing server, and forms are updated to send data to you -- all in a matter of seconds. Cooper is cross-platform and should work with MacOS, Linux, and Windows.
• Defense
  • IsThisLegit
    • IsThisLegit is a dashboard and Chrome extension that makes it easy to receive, analyze, and respond to phishing reports.
• Document Generation
  • unioffice
    • unioffice is a library for creation of Office Open XML documents (.docx, .xlsx and .pptx). It's goal is to be the most compatible and highest performance Go library for creation and editing of docx/xlsx/pptx files.
• Domains
  • CatMyFish
    • Search for categorized domain that can be used during red teaming engagement. Perfect to setup whitelisted domain for your Cobalt Strike beacon C&C. It relies on expireddomains.net to obtain a list of expired domains. The domain availability is validated using checkdomain.com
  • CatPhish
    • Generate similar-looking domains for phishing attacks. Check expired domains and their categorized domain status to evade proxy categorization. Whitelisted domains are perfect for your C2 servers.
• Email Harvesting
  • Email Address Harvesting for Phishing
  • PhishBait
    • Tools for harvesting email addresses for phishing attacks
• Local Phishing
  • Ask and ye shall receive - Impersonating everyday applications for profit - FoxIT
  • Invoke-CredentialPhisher
    • The first one is a powershell script to send toast notifications on behalf on an (installed) application or the computer itself. The user will be asked to supply credentials once they click on the notification toast. The second one is a Cobalt Strike module to launch the phishing attack on connected beacons.
  • Phishing for Credentials: If you want it, just ask! - enigma0x3
  • iOS Privacy: steal.password - Easily get the user's Apple ID password, just by asking - Felix Krause
  • Gone-Phishing-2
    • This is a new and improved version of Gone Phishing that uses applescript to phish for a Mac user's password. It uploads the password and keychain items to a remote server
• Payloads
  • Social-Engineering-Payloads - t3ntman
  • backdoorppt
    • transform your payload.exe into one fake word doc (.ppt)
  • malicious_file_maker
    • malicious file maker/sender to create and send malicious attachments to test your email filter/alerting
  • VBA ScriptControl to run Java Script Function
  • CVE-2018-8420 | MS XML Remote Code Execution Vulnerability - portal.msrc.ms
  • Microsoft Windows MSHTML Engine - 'Edit' Remote Code Execution/CVE:2019-0541
  • Abusing native Windows functions for shellcode execution - ropgadget
  • docem
    • Uility to embed XXE and XSS payloads in docx,odt,pptx,etc (OXML_XEE on steroids)
• Recon
  • hackability
    • Rendering Engine Hackability Probe performs a variety of tests to discover what the unknown rendering engine supports. To use it simply extract it to your web server and visit the url in the rendering engine you want to test. The more successful probes you get the more likely the target engine is vulnerable to attack.
  • Image-Cache-Logger
    • A simple tool to see when other services/clients like Gmail open an image and test if they are storing it within their cache.
• SMTP Server
  • Papercut
    • Simple Desktop SMTP Server
• User Profiling
  • DeviceDetector.NET
    • The Universal Device Detection library will parse any User Agent and detect the browser, operating system, device used (desktop, tablet, mobile, tv, cars, console, etc.), brand and model.

---

Microsoft Outlook/Exchange Stuff/Office 365

• General
  • Outlook Home Page - Another Ruler Vector
  • Outlook Forms and Shells
  • Exchange Versions, Builds & Dates
  • Microsoft Support and Recovery Assistant for Office 365
  • Elevating your security with Office 365 clients. - BRK3143
• Articles/Blogposts/Writeups
  • Office 365 Vulnerable to Brute Force Attack via Powershell - Tyler(2018)
• Bypass
  • How to bypass Web-Proxy Filtering
• Hiding Inbox Rules in O365
  • O365: Hidden InboxRules - Matthew Green(2019)
    • "In this post Im going to talk about Office365 hidden inbox rules. Im going to give some background, show rule modification, and talk about detection methodology."
  • Hidden Inbox Rules in Microsoft Exchange - Damian Pfammatter(2020)
• Outlook Rules
  • Malicious Outlook Rules(2015) - Nick Landers
  • EXE-less Malicious Outlook Rules - BHIS
• Talks & Presentations
  • Outlook and Exchange for the Bad Guys - Nick Landers(Derbycon6)
• Tools
  • MailRaider
  • Phishery
    • An SSL Enabled Basic Auth Credential Harvester with a Word Document Template URL Injector * MailRaider is a tool that can be used to browse/search a user's Outlook folders as well as send phishing emails internally using their Outlook client.
  • PyEWS Documentation
  • o365-attack-toolkit
    • Introducing the Office 365 Attack Toolkit - MDSec

---

MS Office

• General
  • Articles/Blogposts/Writeups
    • VB2018 paper: Office bugs on the rise - Gabor Szappanos
    • Next Gen Office Malware v2.0 - Greg Linares Dagmar Knechtel - Hushcon17
    • Office Document Macros, OLE, Actions, DDE Payloads and Filter Bypass - Pwndizzle
    • Analysis of the Attack Surface of Microsoft Office from a User's Perspective
    • Document Tracking: What You Should Know - justhaifei1
    • Office Document Macros, OLE, Actions, DDE Payloads and Filter Bypass - PwnDizzle
    • Persisting with Microsoft Office: Abusing Extensibility Options - William Knowles
    • office-exploit-case-study
      • I collect some office vuln recent years.Many samples are malware used in the real world,please study them in virtual machine.Take responsibility yourself if you use them for illegal purposes. Samples should match hash in corresponding paper if mentioned.
      • Next Gen Office Malware v2.0 - Greg Linares Dagmar Knechtel - Hushcon17
      • Next Gen Office Malware Repo
  • Papers
    • OpenDocument and Open XML security (OpenOffice.org and MS Office 2007) - Philippe Lagadec
      • Abstract: OpenDocument and Open XML are both new open file formats for office documents. OpenDocument is anISO standard, promoted by OpenOffice.org and Sun StarOffice.Open XML is the new format for Microsoft Office 2007 documents, an ECMA standard. These two formats share the same basic principles: XML files within a ZIP archive, with an open schema, in contrast to good-old proprietary formats (MS Word, Excel, PowerPoint, ...). However, both of them sufferfrom many security issues, similar to previous Office formats: malicious people can still embed and hide malware (Trojanhorses and viruses) thanks to macros, scripts, OLE objects and similar features. This paper shows the security issues with technical details, including XML and ZIP obfuscation techniques that may be used to bypass antiviruses, and describes howto design a filter to get rid of unwanted parts in a safe way
  • Inbuilt Functions
    • Variable Object (Word) - msdn.ms
    • Using ScriptControl Methods - docs.ms
      • The ScriptControl contains methods to execute code, add code and objects to the scripting engine, and reset the scripting engine to its initial state.
  • Access
    • Phishing for “Accessâ€Â� - Changing Phishing Tactics Require Closer User and Defender Attention - Steve Borosh
    • MAccess - Bypassing Office macro warnings - kaiosec
    • Changing Phishing Tactics Require Closer User and Defender Attention - nuix.com
  • Excel
    • Articles/Blogposts/Writeups
      • When Scriptlets Attack: Excel’s Alternative to DDE Code Execution - David Wells
      • Malicious Excel DDE Execution with ML AV Bypass and Persistence - hyperiongray
      • Insert an object in your Excel spreadsheet - support.office
    • Talks & Presentations
      • Tricks to Improve Web App Excel Export Attacks - Jerome Smith(CAMSEC)
        • This presentation is an embellished version of the second half of a talk originally presented at BSides MCR 2016. It covers more general web app export issues as well as revisions on the DDE content following feedback from BSides.
      • Slides
    • Tools
      • Excel-DNA
        • Excel-DNA is an independent project to integrate .NET into Excel. With Excel-DNA you can make native (.xll) add-ins for Excel using C#, Visual Basic.NET or F#, providing high-performance user-defined functions (UDFs), custom ribbon interfaces and more. Your entire add-in can be packed into a single .xll file requiring no installation or registration.
  • EXD Files
    • EXD: An attack surface for Microsoft Office
      • Fortinet has discovered a potential attack surface for Microsoft office via EXD file. After a malformed or specifically crafted EXD file was placed in an expected location, it could trigger a remote code execution when a document with ActiveX is opened with office applications.
  • NTLM Hashes
    • 101
    • Articles/Blogposts/Writeups
      • Microsoft Office - NTLM Hashes via Frameset - pentestlab.blog(2017)
      • UNC Path Injection with Microsoft Access - Stephan Borosh
      • 10 Places to Stick Your UNC Path - Karl Fossan
      • NTLM Credential Theft via malicious ODT Files - rmdavy.uk(2018)
    • Talks/Presentations/Videos
      • Leaking Windows Creds Externally Via MS Office - Tradecraft Security Weekly #21(2017)
        • In this episode of Tradecraft Security Weekly, Mike Felch discusses with Beau Bullock about the possibilities of using framesets in MS Office documents to send Windows password hashes remotely across the Internet. This technique has the ability to bypass many common security controls so add it to your red team toolboxes.
    • Tools
      • WordSteal
        • This script will create a POC that will steal NTML hashes from a remote computer. Do not use this for illegal purposes.The author does not keep responsibility for any illegal action you do. Microsoft Word has the ability to include images from remote locations.This is an undocumented feature but was found used by malware creators to include images through http for statistics.We can also include remote files to a SMB server and the victim will authenticate with his logins credentials.
  • PowerPoint
    • Phishing with PowerPoint - BHIS
    • PowerPoint and Custom Actions - Sean Wilson
  • OSX
    • Sylk + XLM = Code execution on Office 2011 for Mac - Pieter Celeen
• DDE
  • 101
    • Disable DDEAUTO for Outlook, Word, OneNote, and Excel versions 2010, 2013, 2016
  • Blogposts/Writeups
    • Exploiting Office native functionality: Word DDE edition
    • Excel DDE Walkthrough
    • Macro-less Code Exec in MSWord - Etienne Stalmans, Saif El-Sherei
    • The Current State of DDE - Office DDE Attacks from an Offensive and Defensive Perspective - @0xdeadbeefJERKY
    • Microsoft Office - DDE Attacks - pentestlab.blog
    • Microsoft Office – DDE Attacks - pentestlab.blog
    • Abusing Microsoft Office DDE - SecuritySift
    • PowerShell, C-Sharp and DDE The Power Within
      • aka Exploiting MS16-032 via Excel DDE without macros.
    • Macroless DOC malware that avoids detection with Yara rule - Furoner.CAT
    • PowerShell, C-Sharp and DDE The Power Within - sensepost
    • Microsoft Office - DDE Attacks - pentestlab.blog
    • Abusing Microsoft Office DDE - SecuritySift
    • Malicious Excel DDE Execution with ML AV Bypass and Persistence - hyperiongray
    • Abusing Microsoft Office DDE - Mike Czumak
    • The Current State of DDE - Office DDE Attacks from an Offensive and Defensive Perspective - @0xdeadbeefJERKY
    • The Current State of DDE - 0xdeadbeefjerky(2018/1)
    • PowerShell, C-Sharp and DDE The Power Within - sensepost(2016)
    • DDE Downloaders, Excel Abuse, and a PowerShell Backdoor - James Haughom Jr(2018)
  • Payload Creation/Generation
    • DDE Payloads - Panagiotis Gkatziroulis
    • Office-DDE-Payloads - 0xdeadbeefJERKY
      • Collection of scripts and templates to generate Word and Excel documents embedded with the DDE, macro-less command execution technique described by @_staaldraad and @0x5A1F (blog post link in References section below). Intended for use during sanctioned red team engagements and/or phishing campaigns.
    • CACTUSTORCH_DDEAUTO
      • OFFICE DDEAUTO Payload Generation script to automatically create a .vbs/.hta/.js payload for use inside a Microsoft Office document. Will create the DDEAUTO function to download and execute your payload using powershell or mshta that you can paste inside a Word document. That function can also be copy and pasted from Word to trigger in One Note/Outlook email/Outlook Calendar/Outlook Task.
    • Office DDEAUTO attacks - Will Genovese
  • Payload Obfuscation
    • MSWord - Obfuscation with Field Codes - Staaldraad
    • Malicious Excel DDE Execution with ML AV Bypass and Persistence - hyperiongray.com
    • Three New DDE Obfuscation Methods - reversinglabs.com
• DLL
  • DLL Tricks with VBA to Improve Offensive Macro Capability
  • DLL Execution via Excel.Application RegisterXLL() method
    • A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.
  • ExcelDllLoader
    • Execute DLL via the Excel.Application object's RegisterXLL() method
• Embeds
  • Abusing Microsoft Office Online Video(2018) - Avihai Ben-Yossef
• Exploits
  • PowerShell, C-Sharp and DDE The Power Within
    • aka Exploiting MS16-032 via Excel DDE without macros.
  • Exploiting CVE-2017-0199: HTA Handler Vulnerability
  • CVE-2017-0199 Toolkit
  • CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler - Fireeye
  • CVE-2017-0199
    • Exploit toolkit CVE-2017-0199 - v4.0 is a handy python script which provides pentesters and security researchers a quick and effective way to test Microsoft Office RCE. It could generate a malicious RTF/PPSX file and deliver metasploit / meterpreter / other payload to victim without any complex configuration.
  • CVE-2017-11882
    • CVE-2017-11882 - Office RCE
    • Analysis of CVE-2017-11882 Exploit in the Wild - Yanhui Jia
    • webdav_exec CVE-2017-11882
    • Skeleton in the closet. MS Office vulnerability you didn't know about - Embedi
• Excel
  • Javascript
    • 101
      • Fundamental programming concepts with the Excel JavaScript API - docs.ms(2020)
        • This article describes how to use the Excel JavaScript API to build add-ins for Excel 2016 or later. It introduces core concepts that are fundamental to using the API and provides guidance for performing specific tasks such as reading or writing to a large range, updating all cells in range, and more.
      • Excel JavaScript API overview - docs.ms(2020)
      • Work with worksheets using the Excel JavaScript API - docs.ms(2020)
        • This article provides code samples that show how to perform common tasks with worksheets using the Excel JavaScript API.
      • Create custom functions in Excel - docs.ms(2020)
        • Custom functions enable developers to add new functions to Excel by defining those functions in JavaScript as part of an add-in. Users within Excel can access custom functions just as they would any native function in Excel, such as SUM().
    • Talks/Presentations/Videos
      • End-to-End Walkthrough of Excel JavaScript Add-in Development - Michael Zlatkovsky(2016)
        • In this webcast, I walk through the end-to-end process of building an Office Add-in for Excel: from launching Visual Studio, to writing a bit of JavaScript code that uses the new Excel 2016 APIs, to adding some basic UI tweaks, to talking through the publishing options, debugging, and more.
    • Tools
      • Excel-Custom-Functions
        • This repository contains the source code used by the Yo Office generator when you create a new custom functions project. You can also use this repository as a sample to base your own custom functions project from if you choose not to use the generator. For more detailed information about custom functions in Excel, see the Custom functions overview article in the Office Add-ins documentation or see the additional resources section of this repository.
      • SheetJSjs-xlsx
        • Parser and writer for various spreadsheet formats. Pure-JS cleanroom implementation from official specifications, related documents, and test files. Emphasis on parsing and writing robustness, cross-format feature compatibility with a unified JS representation, and ES3/ES5 browser compatibility back to IE6.
• Excel DDE PowerQuery
  • The Complete Guide to Power Query - howtoexcel.com
  • Exploit Using Microsoft Excel Power Query for Remote DDE Execution Discovered - Doron Attias
• Field Codes
  • MSWord - Obfuscation with Field Codes - Staaldraad
  • MS Office In Wonderland - Stan Hegt & Pieter Ceelen(BH Asia2019)
  • MS Word field abuse(2019) - Pieter Celeen
  • Detecting and Protecting Against Word Field Code Abuse - Mark E. Soderlund(2003)
• InfoPath
  • THE {PHISHING} {PATH} TO {INFO} WE MISSED
    • TL;DR: InfoPath is a fantastic way to run custom C# code, and we missed it as an attack vector sadly. At the moment it has been deprecated, but don't fret it's still everywhere!
  • Resources for learning InfoPath - support.office.com
  • InfoPhish
• LoL
  • Unsanitized file validation leads to Malicious payload download via Office binaries. - Reegun
• Macros
  • 101
    • Fundamentals of Malicious Word Macros - hunnicyber
    • Variable Object (Word) - msdn.ms
    • CallByName Function - msdn.ms
      • Executes a method of an object, or sets or returns a property of an object. Syntax CallByName( object, procname, calltype,[args()])
    • Intro to Macros and VBA for Script Kiddies - Adam Todd(2020)
    • The VBA Language for Script Kiddies - Adam Todd(2020)
    • Developing with VBA for Script Kiddies - Adam Todd(2020)
    • VBA Macros: Events Cheat-Sheet
      • Cheat-Sheet with events to look out for when analysing malicious Office documents. It is focused on Excel and Word since these are the most common ways to distribute malware.
  • Articles/Blogposts/Writeups
    • bpmtk: Bypassing SRP with DLL Restrictions - Didier Stevens(2008)
    • Excel Exercises in Style - Didier Stevens(2008)
    • Shellcode 2 VBScript - Didier Stevens(2009)
    • Using Excel 4 Macro Functions - ExcelofftheGrid(2017)
    • How To: Empire - Cross Platform Office Macro
    • Excel macros with PowerShell
    • Multi-Platform Macro Phishing Payloads
    • Abusing native Windows functions for shellcode execution - ropgadget
    • Microsoft Office - Payloads in Document Properties - pentestlab.blog
    • Pesky Old-Style Macro Popups — Advanced Maldoc Techniques - Carrie Roberts(2019)
    • MAccess: Bypassing Office macro warnings - kaiosec
    • Powershell Empire Stagers 1: Phishing with an Office Macro and Evading AVs - fzuckerman
    • Zero2Auto - Initial Stagers - From one Email to a Trojan - Danus(2020)
    • VBA Macros Pest Control - Philippe Lagadec
    • Luckystrike: An Evil Office Document Generator
    • Microsoft Office - Payloads in Document Properties - pentestlab.blog
      • Document properties in Microsoft office usually contain information related to the document and various other metadata details. However this location can be used to store commands that will execute payloads that are hosted on an SMB or HTTP server.
    • VBA RunPE - Breaking Out of Highly Constrained Desktop Environments - Part 1/2 - itm4n(2018)
      • Part 2
    • Monster Lurking in Hidden Excel Worksheet - Rodel Mendez(2020)
    • Microsoft Windows LNK Remote Code Execution Vulnerability — CVE-2020-1299 - vincss
  • ActiveX
    • Having Fun with ActiveX Controls in Microsoft Word - Marcello Salvati
    • Running Macros via ActiveX Controls - Parvez
    • Alternative Execution: A Macro Saga (part 1) - Jerry Odegaard(2020)
      • "In this blog post we examined a non-standard Office event trigger to execute VBA macro code by usage of an embedded ActiveX control: InkPicture. Originally the InkPicture.Painted() event handler was used by cyber criminals to evade antivirus prevention of the more common Document_Open() and Workbook_Open() event handlers associated with Microsoft Word and Excel. We’ve repurposed it for demonstration and went further to identify an additional InkPicture event handler that could be used as an alternative: InkPicture.Painting()."
    • Part 2
      • "In this blog we covered abuse of the Windows Media Player ActiveX control to trigger macro execution at the point in which a maldoc is opened. We identified and implemented reference code for three event handlers that can be used without specifying a valid media file for Windows Media Player to load. These methods of executing malicious VBA code do not depend on the Document_Open() or Workbook_Open() event handlers that are more commonly utilized by malicious actors to obtain code execution."
    • Part 3
      • "In this blog we spent the time and energy to craft another maldoc making use of an unconventional automatic execution method: The System Monitor ActiveX control. We also worked through the process I had used initially with both Windows Media Player and System Monitor by making use of the oleviewdotnet tool to enumerate and research the COM classes associated with these controls. Again, we’ve been able to demonstrate executing VBA code that doesn’t depend on Document_Open() or Workbook_Open() event handlers that are common with maldocs to obtain automatic execution on target systems."
  • Execution
    • CallByName Function - docs.ms
    • CallByName Function - msdn.ms
      • Executes a method of an object, or sets or returns a property of an object. SyntaxCallByName( object, procname, calltype,[args()])
    • Abusing native Windows functions for shellcode execution - ropgadget
    • Direct shellcode execution in MS Office macros - scriptjunkie.us
    • VBA ScriptControl to run Java Script Function
    • trigen
      • Trigen is a Python script which uses different combinations of Win32 function calls in generated VBA to execute shellcode.
  • Evasion
    • Articles/Blogposts/Writeups
      • I Think You Have the Wrong Number: Using Errant Callbacks to Enumerate and Evade Outlook's Sandbox - CX01N(2020)
      • Bypassing AMSI for VBA - Pieter Ceelen(2019)
      • Dynamic Microsoft Office 365 AMSI In Memory Bypass Using VBA - @rd_pentest(2019)
      • How to Build Obfuscated Macros for your Next Social Engineering Campaign - Michael Finkel(2019)
      • Building an Office macro to spoof parent processes and command line arguments(2019) - Christophe Tafani-Dereeper
      • Playing Cat and Mouse: Three Techniques Abused to Avoid Detection - ZLAB-YOROI
      • Phishing template uses fake fonts to decode content and evade detection - ProofPoint(2019)
      • Bypassing Parent Child / Ancestry Detections - @spottheplanet
      • It All Swings Round-- Malicious Macros - SketchyMoose(2015)
      • Dechaining Macros and Evading EDR - Noora Hyvärinen(2019)
      • Yet another update to bypass AMSI in VBA - khr0x40sh (2019)
      • Advanced VBA macros: bypassing olevba static analyses with 0 hits - Gabriele Pippi
      • Multi-Stage Email Word Attack Without Macros - Homer Pacag(2018)
      • My VBA Bot: Writing Office Macro FUD encoder and other stuff - Emeric Nasi(2016)
      • Malicious Shapes In Office ? Part 1 - Laughing Mantis(2020)
        • Part 2
      • New Multi-Stage Word Phishing Attack Infects Users Without Using Macros - Stu Sjouwerman(2020)
        • Execution chain
      • How to REALLY protect your code ? making VBA project unviewable - Ratexcel(2017)
    • Tools
      • spoofing-office-macro
        • PoC of a VBA macro spawning a process with a spoofed parent and command line.
        • Blogpost
      • OfficeMacro64
        • This is a 64 bit VBA implementation of Christophe Tafani-Dereeper's original VBA code described in his blog @ https://blog.christophetd.fr/building-an-office-macro-to-spoof-process-parent-and-command-line/
  • Excel Specific/Excel 4.0 Macros
    • 101
      • Working with Excel 4.0 macros - support.ms
      • Old school: evil Excel 4.0 macros (XLM) - Stan Hegt(2018)
      • Working with Excel 4.0 macros - support.ms
      • Application.ExecuteExcel4Macro method (Excel) - docs.ms
      • Microsoft Office Excel 97-2003 Binary File Format (.xls, BIFF8)
    • Articles/Blogposts/Writeups
      • Phishing: XLM / Macro 4.0 - @spottheplanet
      • Further Evasion in the Forgotten Corners of MS-XLS - malware.pizza(2020)
      • Evolution of Excel 4.0 Macro Weaponization - James Haughom and Stefano Ortolani(2020)
      • Macros and More with SharpShooter v2.0 - MDSec
      • XLS -> VBS -> .NET - James Haughom(2020)
      • Extracting "Sneaky" Excel XLM Macros - Amirreza Niakanlahiji, Pedram Amini(2019)
      • Getting Sneakier: Hidden Sheets, Data Connections, and XLM Macros - Amirreza Niakanlahiji, Pedram Amini(2020)
      • ZLoader 4.0 Macrosheets Evolution - William MacArthur, Amirreza Niakanlahiji, Pedram Amini
      • More Excel 4.0 Macro MalSpam Campaigns - Diana Lopera(2020)
      • Excel 4 Macro Generator (x86/x64) - Bytecod3r(2019)
      • Sylk + XLM = Code execution on Office 2011 for Mac - Pieter Ceelen(2018)
      • bypass endpoint with XLM weaponization - 0xsp
      • Excel 4.0 Macro, Old but New! - Hoang Bui(2019)
      • FlawedAmmyy RAT & Excel 4.0 Macros - Ryan Campbell
      • Phishing AMSI Bypass - christopherja.rocks(2020)
      • Social Engineering Using "Hidden" Macros In Excel - 1d8
      • JavaScript Coinhive in Excel - Charles Dardaman(2018)
      • Maldoc: Excel 4 Macros in OOXML Format - Didier Stevens(2020)
    • Talks/Presentations/Videos
      • Dynamic Analysis of Obfuscated Excel 4 Macros - mattifestation(2020)
      • Malware Analysis in Action - Episode 3 - DissectMalware
        • In this video, I analyze a malicious Excel document containing obfuscated XLM macro. It is part of a campaign that downloads and runs zloader on victims' machines.
    • Tools
      • EXCELntDonut
        • EXCELntDonut is a XLM (Excel 4.0) macro generator. Start with C# source code (DLL or EXE) and end with a XLM (Excel 4.0) macro that will execute your code in memory. XLM (Excel 4.0) macros can be saved in .XLS files.
        • Blogpost
      • Macrome
        • An Excel Macro Document Reader/Writer for Red Teamers & Analysts. Blog posts describing what this tool actually does can be found here and here.
      • genxlm
        • Just a simple script to generate JScript code for calling Win32 API functions using XLM/Excel 4.0 macros via Excel.Application COM object and "ExecuteExcel4Macro" method. The script will generate a simple payload for performing a very basic shellcode injection by calling VirtualAlloc -> WriteProcessMemory -> CreateThread (just a poc, better options can be considered.)
      • XLMMacroDeobfuscator
        • XLMMacroDeobfuscator can be used to decode obfuscated XLM macros (also known as Excel 4.0 macros). It utilizes an internal XLM emulator to interpret the macros, without fully performing the code. It supports both xls, xlsm, and xlsb formats. It uses xlrd2, pyxlsb2 and its own parser to extract cells and other information from xls, xlsb and xlsm files, respectively.
    • XLL
      • Hello World XLL
        • This is a simple XLL, showing how to create an XLL from scratch.
      • xllpoc
        • A small project that aggregates community knowledge for Excel XLL execution, via xlAutoOpen() or PROCESS_ATTACH.
  • Keying
    • Articles/Blogposts/Writeups
      • VBA Macro with Environmental Keying and Encryption(2019) - Hunnic Cyber
  • macOS Specific
    • Escaping the Microsoft Office Sandbox: a faulty regex, allows malicious code to escape and persist
    • Word to Your Mac - analyzing a malicious word document targeting macOS users - Patrick Wardle
    • New Attack, Old Tricks› analyzing a malicious document with a mac-specific payload - Patrick Wardle
  • Remote Template Injection
    • 101
      • Executing Macros From a DOCX With Remote Template Injection - redxorblue(2018)
        • "In this post, I want to talk about and show off a code execution method which was shown to me a little while back. This method allows one to create a DOCX document which will load up and allow a user to execute macros using a remote DOTM template file. [..] This blog post will detail how to use this method to download a macro-enabled template over HTTP(S) in a proxy-aware method into a DOCX document."
      • Dynamic Office Template Injection - Joshua(2019)
      • Template Injection Attacks - Bypassing Security Controls by Living off the Land - Brian Wiltse(SANS 2019)
    • Articles/Blogposts/Writeups
      • Word template injection attack - Klion
      • VBA Macro Remote Template Injection With Unlinking & Self-Deletion - John Woodman(2019)
      • Word template injection attack - Klion
      • Maldoc uses template injection for macro execution - Josh Stroschein(2020)
      • Template Injection Attacks - Bypassing Security Controls by Living off the Land - Brian Wiltse(2020)
      • Inject Macros from a Remote Dotm Template - @spottheplanet
  • VBA Stomp(ing)
    • 101
      • VBA Stomp
    • Articles/Blogposts/Writeups
      • VBA and P-code - Didier Stevens(2016)
      • Malicious VBA Office Document Without Source Code - Didier Stevens(2019)
      • MS Office File Formats â€â€� Advanced Malicious Document (Maldoc) Techniques - Kirk Sayre, Harold Ogden, Carrie Roberts(2018)
        • This post will discuss basic file formats used by MS Office and some of their implications.
      • Evasive VBA - Advanced Maldoc Techniques - Kirk Sayre, Harold Ogden, Carrie Roberts(2018)
      • VBA Stomping - Advanced Maldoc Techniques - Kirk Sayre, Harold Ogden, Carrie Roberts
      • VBA Project Locked; Project is Unviewable - Carrie Roberts
      • STOMP 2 DIS: Brilliance in the (Visual) Basics - Rick Cole, Andrew Moore, Genevieve Stark, Blaine Stancill &
      • Evidence of VBA Purging Found in Malicious Documents
        • TL;DR We have found malicious Office documents containing VBA source code only, and no compiled code. Documents like these are more likely to evade anti-virus detection due to a technique we dubbed “VBA Purgingâ€�.
    • Talks/Presentations/Videos
      • VBA Stomping - Advanced Malware Techniques - Carrie Roberts, Kirk Sayre, Harold Ogden(Derbycon2018)
        • Slides
        • There are powerful malicious document generation techniques that are effective at bypassing anti-virus detection. A technique which we refer to as VBA stomping refers to destroying the VBA source code in a Microsoft Office document, leaving only a compiled version of the macro code known as p-code in the document file. Maldoc detection based only on the VBA source code fails in this scenario. Reverse engineering these documents presents significant challenges as well. In this talk we will demonstrate detailed examples of VBA stomping as well as introduce some additional techniques. Reverse engineering and defense tips will also be provided.
      • MS Office file format sorcery - Stan Hegt, Pieter Ceelen(TR19)
        • Slides
        • A deep dive into file formats used in MS Office and how we can leverage these for offensive purposes. We will show how to fully weaponize ‘p-code’ across all MS Office versions in order to create malicious documents without using VBA code, successfully bypassing antivirus and other defensive measures.
      • Advanced Malware VBA Stomping - presented by Carrie Roberts & Kirk Sayre(Sp4kCon2019)
        • Slides
        • There are powerful malicious document generation techniques that are effective at bypassing anti-virus detection. A technique which we call “VBA stompingâ€� refers to destroying the VBA source code in a Microsoft Office document, leaving only a compiled version of the macro code known as p-code in the document file. Maldoc detection based only on the VBA source code fails in this scenario. Reverse engineering these documents presents significant challenges as well. Come find out what is new with VBA Stomping since our presentation on the topic last year.
      • Advanced VBA Macros - Attack & Defense - Philippe Lagadec(BHEU2019
    • Tools
      • Example VBA Stomped Documents Repository
        • A repository of example VBA stomped documents. For more information about VBA Stomping, see vbastomp.com. These are non-malicious documents and the macro is a simple message box popup.
      • olevba
        • olevba is a script to parse OLE and OpenXML files such as MS Office documents (e.g. Word, Excel), to detect VBA Macros, extract their source code in clear text, and detect security-related patterns such as auto-executable macros, suspicious VBA keywords used by malware, anti-sandboxing and anti-virtualization techniques, and potential IOCs (IP addresses, URLs, executable filenames, etc). It also detects and decodes several common obfuscation methods including Hex encoding, StrReverse, Base64, Dridex, VBA expressions, and extracts IOCs from decoded strings. XLM/Excel 4 Macros are also supported in Excel and SLK files.
      • pcode2code.py
        • In 2019, EvilClippy tool made easily available for any attacker to dispose of an Office document where the macro code is transformed directly into bytecode. For any reference, please check this or this. To be able to analyze such "stomped" documents, Dr. Bontchev (@VessOnSecurity) released pcodedmp, a tool printing out the VBA bytecode of a document in a readable manner. However, the output might be still hardly readable and analyzable (please check out macaroni in tests folder). As such, pcode2code decompiles, based on pcodedmp's output, the VBA code.
      • EvilClippy
        • A cross-platform assistant for creating malicious MS Office documents. Can hide VBA macros, stomp VBA code (via P-Code) and confuse macro analysis tools. Runs on Linux, OSX and Windows.
      • Adaptive Document Builder (adb)
        • A framework for generating simulated malicious office documents.
      • VBASeismograph
        • tool for detecting VBA stomping. It has been developed and tested under Ubuntu 16.04.
      • pcodedmp.py
        • A VBA p-code disassembler
  • Tools
    • Generators
      • unicorn
        • Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.
      • Pafish Macro
        • Pafish Macro is a Macro enabled Office Document to detect malware analysis systems and sandboxes. It uses evasion & detection techniques implemented by malicious documents.
      • Malicious Macro Generator
        • Simple utility design to generate obfuscated macro that also include a AV / Sandboxes escape mechanism.
      • macphish
        • Office for Mac Macro Payload Generator
      • Generate Macro - Tool
      • Generate MS Office Macro Malware Script
        • Standalone Powershell script that will generate a malicious Microsoft Office document with a specified payload and persistence method
      • Wepwnise
        • WePWNise is a proof-of-concept python script that generates architecture independent VBA code to be used in Office documents or templates. It aims in introducing a certain level of automation and intelligence to dynamically deliver its payload, circumventing defences such as application control and anti-exploitation mitigations that may exist on a target system.
      • Malicious Macro MSBuild Generator
        • Generates Malicious Macro and Execute Powershell or Shellcode via MSBuild Application Whitelisting Bypass.
      • trigen
        • Trigen is a Python script which uses different combinations of Win32 function calls in generated VBA to execute shellcode.
      • macro_pack
        • macro_pack is a tool by @EmericNasi used to automatize obfuscation and generation of MS Office documents for pentest, demo, and social engineering assessments. The goal of macro_pack is to simplify exploitation, antimalware bypass, and automatize the process from vba generation to final Office document generation.
      • MacroCreator
        • Invoke-MacroCreator is a powershell Cmdlet that allows for the creation of an MS-Word document embedding a VBA macro with various payload delivery and execution capabilities.
    • Samples
      • RobustPentestMacro
        • This is a rich-featured Visual Basic macro code for use during Penetration Testing assignments, implementing various advanced post-exploitation techniques like sandbox evasion, WMI persistence and page substitution. Intended to be able to infect both Windows and Mac OS X Office platforms by implementing platform-detection logic.
      • CVE-2017-8759-Exploit-sample
        • Flow of the exploit: Word macro runs in the Doc1.doc file. The macro downloads a badly formatted txt file over wsdl, which triggers the WSDL parser log. Then the parsing log results in running mshta.exe which in turn runs a powershell commands that runs mspaint.exe
    • Obfuscation
      • VBad
        • VBad is fully customizable VBA Obfuscation Tool combined with an MS Office document generator. It aims to help Red & Blue team for attack or defense.
      • MacroShop
        • Collection of scripts to aid in delivering payloads via Office Macros. Most are python.
• OLE
  • Phishing with Empire
  • Attacking Interoperability: An OLE Edition
  • Microsoft Powerpoint as Malware Dropper - Marco Ramilli
  • Office Document Macros, OLE, Actions, DDE Payloads and Filter Bypass - pwndizzle
  • #OLEOutlook - bypass almost every Corporate security control with a point’n’click GUI - Kevin Beaumont
• Online Video in MS Word
  • Abusing Microsoft Office Online Video - Avihai Ben-Yossef(2018)
  • Phishing: Replacing Embedded Video with Bogus Payload - @spottheplanet
• PowerPoint Mouseover
  • New PowerPoint Mouseover Based Downloader – Analysis Results - dodgethissecurity_1ooun4(2017)
  • PowerPoint File Downloads Malware When You Hover a Link, No Macros Required(2017)
  • “Zusyâ€� PowerPoint Malware Spreads Without Needing Macros - SentinelOne(2017
  • Hover_with_Power - Mandar Satam
• Protected View
  • 101
    • What is Protected View? - support.office.com
  • Articles/Blogposts/Writeups
    • Phishing against Protected View
    • Understanding The Microsft Office 2013 Protected-View Sandbox - Yong Chuan, Kho (2015)
    • Corrupting Memory In Microsoft Office Protected-View Sandbox - Yong Chuan Koh(MS BlueHat '17)
      • The MS Office Protected-View is unlike any other sandboxes; it aims to provide only a text-view of the document contents and therefore does not have to provide full functionalities of the application. As a result, the broker -sandbox Inter-Process Communication (IPC) attack surface is greatly reduced. However this does not mean there are no vulnerabilities. This talk discussed the methodology for fuzzing this IPC attack surface, from the test-case generation to the discovery and analysis of CVE-2017-8502 and CVE-2017-8692.
    • Getting Malicious Office Documents to Fire with Protected View Enabled - Curtis Brazzell(2019)
• subDoc
  • 101
    • SubDocumentReference class - msdn.ms
  • Articles/Blogposts/Writeups
    • Abusing Microsoft Word Features for Phishing: subdoc
• Temporary File Drop
  • Demonstration of the Windows/Office "Insecure Temporary File Dropping" Vulnerability - justhaifeil
• TNEF
  • Transport Neutral Encapsulation Format - Wikipedia

---

OpenOffice/LibreOffice

• Attacking
  • Exploit Remote PC with Apache OpenOffice Text Document Malicious Macro Execution - Raj Chandel(2017)
• Exploits
  • CVE-2019-17400
    • A Tale of Exploitation in Spreadsheet File Conversions - Brett Buerhaus(2019)
    • CVE-2019-17400
  • CVE-2019-9848/9
    • LibreOffice – A Python Interpreter (code execution vulnerability CVE-2019-9848)
    • CVE-2019-9848 LibreLogo arbitrary script execution - libreoffice.org
    • CVE-2019-9849 - Tenable

---

Setting up a Server

• Mail Servers Made Easy - Inspired-Sec
• Postfix-Server-Setup
  • "Setting up a phishing server is a very long and tedious process. It can take hours to setup, and can be compromised in minutes. The esteemed gentlemen @cptjesus and @Killswitch_GUI have already made leaps and bounds in this arena. I took everything that I learned from them on setting up a server, and applied it to a bash script to automate the process.""