Excel(ent) Obfuscation: Regex Gone Rogue
Join Ido Kringel and the Deep Instinct Threat Research Team in this deep dive into a recently discovered, Office-based regex evasion technique Microsoft Office-based attacks have long been a favored tactic amongst cybercriminals— and for good reason. Attackers frequently use Office documents in cyberattacks because they are widely trusted. These files, such as Word or Excel docs, are commonly exchanged in business and personal settings. They are also capable of carrying hidden malicious code, embedded macros, and external links that execute code when opened, especially if users are tricked into enabling features like macros. Moreover, Office documents support advanced techniques like remote template injection, obfuscated macros, and legacy features like Excel 4.0 macros. These allow attackers to bypass antivirus detection and trigger multi-stage payloads such as ransomware or information-stealing malware. Since Office files are familiar to users and often appear legitimate (e.g., invoices, resumes, or reports), they’re also highly effective tools in phishing and social engineering attacks. This mixture of social credit and advanced attack characteristics unique to Office files, as well as compatibility across platforms and integration with scripting languages, makes them ideal for initiating sophisticated attacks with minimal user suspicion. Last year, Microsoft announced the availability of three new functions that use Regular Expressions (regex) to help parse text more easily: Regex are sequences of characters that define search patterns, primarily used for string matching and manipulation. They enable efficient text processing by allowing complex searches, replacements, and validations based on specific criteria.
