Follow this advice to block malicious Office files from doing harm to your network even if you've implemented Microsoft's recommended actions. Credit: Gwengoat / Getty Images Once again attackers have used Office files in targeted attacks against Microsoft users. This time they used the Windows Explorer preview pane to deliver malicious .doc, .docm, and .docx files. Researchers have found that malicious .rtf files can also be used in such attacks. For this exploit, an attacker crafts a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine.The attacker must convince a user to open the malicious document. So, your first line of defense is an educated user who doesn’t blindly open unexpected files. In addition, Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protections for the known vulnerability. Your antivirus tools may already include detections for this exploit as well.Microsoft has released CVE-2021-40444 to track this vulnerability. Even when it’s fixed, don’t let your guard down. Instead, I recommend you keep one key protection that probably many of us are not doing to protect ourselves from malicious Office files including those used in this most current exploit.Microsoft Defender Attack Surface Reduction rulesA vulnerability analyst at the CERT/CC, Will Dorman, pointed out that using Microsoft Defender’s Attack Surface Reduction (ASR) rules is a better long-term way to protect against such attacks. You can do this in multiple ways. You can use Group Policy to configure ASR rules. This setting has been available since version 1709 of Windows 10. The exploit starts with an ActiveX CAB to place a DLL at a known location on the targeted system. A .CPL URI is then used to run that code. Microsoft’s mitigation focuses on blocking the ActiveX file so it can’t be called into action. Using ASR rules protects you not only for the current exploit but for future similar exploits.To enable this setting, select in order: “Computer Configuration”“Administrative Templates”“Windows Components”“Microsoft Defender Antivirus”“Microsoft Defender Exploit Guard”“Attack Surface Reduction”“Configure Attack Surface Reduction rules” and make sure the value is set to “Enabled”In earlier versions “Microsoft Defender antivirus” was called “Windows Defender antivirus.” so your group policy may need refreshing to track the new name even though the old name will still work. Susan BradleySelect “Show…” and verify the rule ID in the “Value name” column and the desired state in the “Value” column is set as follows:Value name: D4F940AB-401B-4EFC-AADC-AD5F3C50688AValue: 1 Susan BradleyASR functions are available in Windows 10 Pro v1709 or later, Windows 10 Enterprise v1709 or later, Windows Server v1803 (Semi-Annual Channel) or later, and Windows Server 2019 or later. All ASR protections are available in Windows 10 Professional, but more reporting and monitoring functions are available in Enterprise SKUs.If you prefer a more targeted protection and follow just the Microsoft-specific guidance, you can do so by disabling the installation of all ActiveX controls in Internet Explorer. You can do this for all sites by configuring a group policy using your local Group Policy editor or by updating the registry. In Group Policy, navigate in this order to: “Computer Configuration”“Administrative Templates”“Windows Components”“Internet Explorer”“Internet Control Panel”“Security Page”Select each zone (Internet Zone, Intranet Zone, Local Machine Zone, or Trusted Sites Zone) and double-click on “Download signed ActiveX controls and Enable the policy”. Then set the option in the policy to “Disable”. Double-click on “Download unsigned ActiveX controls and Enable the policy”. Then set the option in the policy to “Disable”.Microsoft recommends setting this for Internet Zone, Intranet Zone, Local Machine Zone, and Trusted Sites Zone. If you rely on ActiveX for any internal functions, this will allow previously installed and deployed ActiveX controls to still function but will block any new ActiveX controls from being installed and used in your systems. In my testing, I have not seen any side effects with disabling ActiveX in this manner. Alternatively, you can use registry keys to disable these ActiveX controls.Disable Windows Explorer preview paneIt’s recommended to also disable shell preview in Windows Explorer. I do not enable preview pane in Windows Explorer unless I have a specific need or task in mind. It slows my computer down if it’s enabled.To disable both the ActiveX and the Windows Explorer view of .doc, .docm, .docx and .rtf files, use the following registry key (also downloadable from this link): Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet SettingsZones Related content news Amazon’s AWS Control Tower aims to help secure your data’s borders As digital compliance tasks and data sovereignty rules get ever more complicated, Amazon wants automation to help. By Jon Gold Nov 28, 2023 3 mins Regulation Regulation Government news North Korean hackers mix code from proven malware campaigns to avoid detection Threat actors are combining RustBucket loader with KandyKorn payload to effect an evasive and persistent RAT attack. By Shweta Sharma Nov 28, 2023 3 mins Malware feature How a digital design firm navigated its SOC 2 audit L+R's pursuit of SOC 2 certification was complicated by hardware inadequacies and its early adoption of AI, but a successful audit has provided security and business benefits. By Alex Levin Nov 28, 2023 11 mins Certifications Compliance news GE investigates alleged data breach into confidential projects: Report General Electric has confirmed that it has started an investigation into the data breach claims made by IntelBroker. By Shweta Sharma Nov 27, 2023 3 mins Data Breach Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe