Phishing with EmbeddedHTML Videos in Microsoft Word

Back in October of 2018 Avihai Ben-Yossef from Threat Emulation Organization Cymulate released an article on utilizing EmbeddedHTML within Microsoft Word (and other office products) to embed online videos within an Office document. Specifically utilizing Microsoft Word, they were able to open the document as an archive file and alter the way the embedded video works. Microsoft has since said that Word is functioning as designed and has no intentions of patching the issue. Working with this technique on and off over the last couple months has proven that it is difficult to detect, and the proposed mitigation techniques will likely not work at scale. Also, typical defenses are not actively looking at this type of technique as a possible threat.

More on the research can be seen here: Cymulate Article

The research goes on to show the proof of concept of having someone download a malicious executable, often with the context of making the video “work” or flash player, what-have-you. I wanted to take this in a little different direction and apply a slightly different context and utilize it for phishing YouTube (or other) credentials. If nothing else I wanted to highlight that this is likely something that you may start to see more often in your organization’s environments and giving different looks and variations of the attack would likely prove beneficial.

Downloading a file and running it is often a giant red flag, but would providing credentials given the proper context for entering credentials? For example, someone shares a “Private Video” with you via email (attached Word document with embedded online video), to view the video you would likely need to provide credentials (how would Word know your YouTube credentials?), that’s all it takes. No usage of macros, no downloading and running a file, no crazy exploits or anything. It’s simply just a Word document, opened like an archive with one line changed, and pointing to a directory on a web server set to handle the JSON/POST request. The rest is all context building.

Video PoC of Phishing:

While this is a rather rudimentary example (obviously I’m not a great web developer, look at this shit show of a website), it paints a very good picture of what could possibly be done. What if your “HR/Compliance team” (spoofed via OSINT on LinkedIn) sent you an email asking you to complete the latest training document? What about the newest video someone shared with you on Zoom or DropBox? The number of contexts that could be applied to this technique are endless and without a good way to mitigate the issue, it is likely that we will see this as a new technique for years to come.