As files are shared more rapidly and in greater quantities than ever before, threat actors are increasingly incentivized to exploit file sharing trends. This has organically led object linking and embedding (OLE) technology – a Microsoft document feature intended to enhance user experiences by allowing content creators to connect external applications within a document – to become a prominent cyber-attack vector.

Why are OLE Vulnerabilities Attractive to Threat Actors?

Because OLE technology is available in several extremely common document formats (like MS word, for example), threat actors know they can reach a wide range of victims by exploiting OLE vulnerabilities. These document formats are very frequently shared within and across professional networks, increasing the likelihood that a document user will eventually activate malicious content and trigger remote code execution. In addition, links and objects embedded within a document are hard for many file scanning solutions to assess for threats, improving the likelihood that compromised documents avoid detection. Common workarounds to that problem (such as blacklisting affected file extensions) are impractical in this case given the ubiquity and importance of document formats with OLE capabilities.

Further, unlike attacks involving Macros – another document vulnerability frequently exploited by threat actors – there aren’t any convenient prompts within OLE-enabled documents which give readers the option to activate or deactivate additional document features. As a result, malicious links and objects placed within seemingly normal, safe-looking documents can remain undetected for a longer period, increasing the likelihood that a document user will eventually click on a malicious object or link.

How are OLE Vulnerabilities Exploited to Initiate a Cyber Attack?

OLE technology allows any content creator to make external resources accessible for document readers with a convenient clickable icon. Once activated by a document user, malicious embedded objects can quickly inject malware onto the victim’s computer, connect the computer with the attacker’s server, and allow the attacker to send a disguised executable malware payload.

To make matters worse, the events of an OLE attack can all happen very quickly. In some cases, the affected document viewer might not even notice the attack occurred, increasing the amount of damage the attacker can inflict before being stymied by security engineers.

Detect and Remove OLE Threats with the Cloudmersive Advanced Virus Scan API

The Cloudmersive Advanced Virus Scan API automatically detects OLE content within a document and returns a Boolean in the API response body indicating if OLE content was present. Administrators responsible for configuring the Advanced Virus Scan API request policies on their Cloudmersive account page (or in the API request body when using complementary code examples) can disallow files containing OLE content by setting the relevant request parameter to “False.” Once this parameter is set, any files containing OLE content will trigger a CleanResult: False response.

This scan will also check files against a continuously updated list of more than 17 million virus and malware signatures, with coverage including ransomware, spyware, and trojans. Additional custom policies can be configured in the API request body to detect hidden non-malware threats including executables, macros, scripts, password protected files, and more.

For more information about the Cloudmersive Advanced Virus Scan API, please do not hesitate to reach out to a member of our sales team.