Undocumented MS Word Features Abused by Attackers

Explore undocumented Microsoft Word features exploited by attackers in this 17-minute Kaspersky presentation. Delve into the technical details of a suspicious document profiling activity targeting Kaspersky customers, involving remote picture links delivered through command and control servers. Uncover the inner workings of an undocumented Word feature that sends data to remote addresses upon document opening, even in Protected Mode. Learn to identify indicators of this feature within documents and understand its potential connection to threat actors like Turla and CloudAtlas. Gain insights into Include Picture, Character Properties, Picture Location, and Shapefile aspects of this security concern.

Intro
Technical Details
What is Include Picture
Character Properties
Picture Location
Shapefile
Conclusion