powerpoint mouseover phishing

[Video] View the PowerPoint Mouseover Phishing Technique in Action

In this post, we’ll take look at one of the latest hacking techniques involving PowerPoint and the mouseover action. Check out our demo video to see the technique in action.

The PowerPoint mouseover technique disrupts a decade’s worth of user awareness education. As security professionals, we constantly warn employees to be aware of phishing emails with malicious links and attachments. If an email or document has a link, we encourage people to hover their mouse over it to verify the link they see and the actual link are the same. Thanks to some imaginative hackers, that advice should still be followed, but now there are new concerns when hovering over links in PowerPoint.

Within the last three weeks, security researchers have discovered a phishing campaign that featured PowerPoint files. Unique to this campaign was that attackers established a foothold within the network without a person ever clicking on the link within the compromised PowerPoint file. In non-technical terms, just by hovering over a link within the PowerPoint file, systems were compromised.

It’s important to remember that links aren’t limited just to text. Malicious hackers can create links around text, shapes, and even images. If hackers made a transparent image the same size as a slide and linked the transparent image, no matter where a mouse moves, the code would execute.

What are the Origins of This Attack?

In the late 90s and early 2000s, the most common way for external threat actors to infiltrate networks was through exploits that took advantage of unpatched systems. Enterprise-wide solutions for managing and verifying patching levels were uncommon at the time. The role of patching systems fell on the shoulders of a few overworked system administrators who had to physically go to each system and apply patches manually. You can see how systems could accidentally go unpatched over the years.

Fast-forward to today. Most larger U.S. organizations not only have enterprise-wide solutions for patching, but they also have dedicated security teams monitoring systems that can’t be patched. That’s why external exploits of unpatched systems are rarer. Instead, malicious hackers have adopted phishing as their primary method to gain access.

Why target the system when you can target the human behind the system? Unlike systems, humans cannot be patched. Phishing schemes can exploit human errors and emotions.

At the low-end, phishers use campaigns like the Nigerian Prince scam, which isn’t targeting a specific group of people or information, but out of 10,000 emails sent, maybe one person will be victimized. At the high-end, phishers use campaigns we rarely hear about. These campaigns are designed to replicate emails that users are likely expecting and trigger actions that people are likely to perform. The PowerPoint mouseover technique is just one of the latest examples of this.

How Do You Stop It?  

  • User awareness is still king (in this domain). Share this blog with your employees and watch our video.
  • For the technique to work, the PowerPoint must be in presentation mode. If you get a PowerPoint deck in an email attachment, and it opens in presentation mode, immediately exit the presentation with the ESCAPE key.
  • If you do happen to hover over an area in a compromised PowerPoint, you will quickly see an acknowledgement window pop up that asks you to click to proceed. Unlike most Microsoft pop-ups, there are two buttons that allow the code to execute, and only one that will deny it. Stay calm and click CANCEL.

Next Steps

Get an assessment by phishing and enterprise penetration testing experts to make sure you understand the gaps in your security posture, and educate your employees, contractors, and trusted business partners on this phishing technique.