PowerPoint add-on used to spread malicious files, says Avanan

A PowerPoint add-on is being used to spread malicious files, according to findings from security firm Avanan.

Avanan’s Jeremy Fuchs noted the .ppam file – which contains bonus commands and custom macros – is used by hackers “to wrap executable files”.

The company began seeing the attack vector in January, noting that .ppam files were used to wrap executable files in a way that allows hackers to “take control of the end user’s computer” . Most of the attacks are done by e-mail.

“In this attack, hackers display a generic purchase order email, a fairly standard phishing message. The file attached to the email is a .ppam file. A .ppam file is a PowerPoint add-on, which extends and adds some functionality. However, this file actually wraps a malicious process by which the registry setting will be overwritten,” Fuchs said.

“By using .ppam files… hackers can wrap, and therefore hide, malicious files. In this case, the file will overwrite registry settings in Windows, allowing the attacker to take control of the computer and to remain active by residing persistently in the computer’s memory.”



Hackers have found a way to bypass security tools due to the low frequency of use of the .ppam file. Fuchs added that the attack method could be used to spread ransomware, reporting an incident in October where a ransomware group used the file type in an attack.

Aaron Turner, vice president of SaaS posture at Vectra, said the ubiquity of Microsoft’s collaboration suite makes it a favorite of attackers, and the latest PowerPoint attack is the most recent example in more than 20 years. of nifty Microsoft Office documents delivering exploits.

“For organizations that rely on Exchange Online for their email, they should review their anti-malware policies configured in their Microsoft 365 Defender Portal. Alternatively, if there is a high risk of an attack that needs to be addressed outside of Defender policies, attached file types can be blocked in a dedicated .ppam blocking policy as an Exchange Online mail flow policy,” Turner said.

“When we run our posture assessment scan on Exchange Online, we check the configured policy and compare it to our recommendation to block over 100 different file types. As a result of this scan, we will add .ppam to our list of file extensions to block due to the relative obscurity and low usage of this particular PowerPoint file extension.”