In 2019, Microsoft Office became cybercriminals\u2019 preferred platform when carrying out attacks, and the number of incidents keeps increasing, according to Kaspersky Lab researchers. Boris Larin, Vlad Stolyarov and Alexander Liskin showed at the company's\u00a0Security Analyst Summit that the threat landscape has changed in the past two years and urged users to keep their software up-to-date and to avoid opening files that come from untrusted sources to reduce the risk of infection.At the time, more than 70% of all the attacks Kaspersky Lab caught targeted Microsoft Office, and only 14% took advantage of browser vulnerabilities. Two years earlier, it was the opposite: Web-based vulnerabilities accounted for 45% of the attacks, while Microsoft Office had a 16% share.Researchers said that this is because hacking browsers has become more expensive, as browser security has improved. \u201cBrowser developers put much effort into different kinds of security protections and mitigations,\u201d Liskin said. \u201cAttackers were looking for a new target, and MS Office has become a star.\u201dLiskin added that there are plenty of reasons why cybercriminals choose to attack the popular suite. \u201cMicrosoft Office has a huge number of different file formats," he said. "It is deeply integrated into the Windows operating system."He also argued that when Microsoft created Office, it made several decisions that, in hindsight, aren\u2019t optimal security-wise and are currently difficult to change. Making such alterations would have a significant impact on all the versions of the products, Liskin said.A new report from SonicWall released in July 2020 shows this trend is growing. Office files have overtaken PDF documents as a delivery mechanism for malware. Office documents make up 22.4% of all malicious file types, compared to 10.7% for PDFs.A bit of good news in the SonicWall report: The number of detected malicious Office files declined slightly at the end of the first half of 2020. This was tempered by the discovery of new techniques to distribute malicious Excel files that evade anti-malware tools and hinder sandbox debugging and analysis.The Kaspersky researchers pointed out that the most exploited vulnerabilities from the past two years are not in MS Office itself, but rather in related components. Two of those vulnerabilities, CVE-2017-11882 and CVE-2018-0802, exploit bugs found in Equation Editor. Cybercriminals prefer to use them because they can be found in every version of Microsoft Word released in the past 17 years. Moreover, building exploits for them does not require advanced skilled, because the Equation Editor binary lacks modern protections and mitigations. These are simple, logical vulnerabilities, the researchers said.Exploit uses Internet Explorer to hack OfficeAnother interesting vulnerability is CVE-2018-8174. In this unusual case, the vulnerability was actually in Internet Explorer, but the exploit was found in an Office file. \u201cThe exploit was delivered as an obfuscated RTF document,\u201d researcher Larin said. \u201cThis is the first exploit to use a vulnerability in Internet Explorer to hack Microsoft Office.\u201dThe infection chain has three steps. First, the victim opens the malicious document. As they do this, a second stage of the exploit is downloaded: an HTML page that contains a VBScript code. This then triggers the third step, a use after free (UAF) vulnerability, and executes shellcode. UAF bugs are a type of memory corruption vulnerability that have been very successful in the past for browser exploitation. The technique works by referencing memory after it has been freed, causing the software to crash or allowing an attacker to execute code.Cybercriminals act fast on Microsoft exploitsWhat intrigues Larin, Stolyarov and Liskin the most about the cases they\u2019ve studied is how fast cybercriminals operate. Most incidents start with a Microsoft Office zero-day that\u2019s used in a targeted campaign. Once it becomes public, it\u2019s only a matter of days until exploits appear on the dark web. Sometimes, it can even be faster, as has happened with CVE-2017-11882, the first Office Equation Editor vulnerability Kaspersky Lab researchers uncovered. The publication of the proof of concept was followed by a massive spam campaign that began on the very same day.Microsoft Office vulnerabilities might become even more common in the near future, as attackers continue to target the suite. Larin advised users to keep their software updated, and to pay attention to the files they receive from dubious email addresses. \u201cOur best recommendation is not to open links and files received from untrusted sources, and have installed security solutions with advanced detection of exploits,\u201d Larin added.