An undocumented Word feature leaves an attack on Windows, iOS and Android users

Kaspersky security researchers have discovered a new form of attack that is being used to collect data from Microsoft Word users. Unlike the usual suspects in this type of malicious activity, it has nothing to do with macros, or exploits of content within the documents, as is usually the case.

Through a Word document that looks apparently harmless, with only text and a couple of links (no objects in Flash, or macros, or executable files), the attacker is able to take advantage of a function of the same Word that has not been documented before to collect data about the victim’s computer.

The researchers detected this type of attack when they encountered spear phishing campaigns, those scams targeted by email whose purpose is to obtain unauthorized access to confidential data, which contained attachments that did not appear to be malicious initially.

The malicious emails had a Word document attached with a few simple tricks for Google that looked apparently clean . But, using that document the attackers were able to insert links to PHP scripts from malicious third-party sites.

When the person opened the document he was able to take advantage of a function called ” INCLUDEPICTURE ” to manipulate the code and launch a request to the malicious URLs that were inside the document. And, in that way, they sent information about the victim’s computer and its version of Office.

The researchers had trouble understanding what exactly that “INCLUDEPICTURE” function did, as they did not find an official description or information on how it should be interpreted, since the Microsoft Office documentation does not include any description of it.

The function is found in Microsoft Word for Windows, iOS and Android. If any user of these systems opens the malicious document on their device, the malicious link will be called, their data will be collected and a possible list will be entered for future targeted attacks.