Threat Actors Weaponize Legitimate Software – Microsoft Office & Remote Access Tools Exploited to Bypass Defenses
What Happened — Threat actors are increasingly repurposing legitimate applications—most notably Microsoft Office products and commercial Remote Access Tools (RATs)—to deliver malicious payloads and evade endpoint detection. The Cofense Intelligence report (Dec 2021‑Dec 2024) documents CVE‑based exploits, macro abuse, and the rise of ConnectWise and NetSupport Manager RATs as preferred delivery vectors.
Why It Matters for TPRM —
- Legitimate software is often excluded from third‑party risk assessments, creating blind spots.
- Exploited tools can be present in any vendor stack, expanding the attack surface beyond “malware‑only” scenarios.
- Unpatched CVEs in widely‑deployed products (e.g., Office Equation Editor) can cascade risk to downstream customers.
Who Is Affected — Enterprises across all sectors that rely on Microsoft Office suites, commercial RATs, or any third‑party remote‑support solutions.
Recommended Actions —
- Re‑evaluate vendor risk models to include “legitimate‑software abuse” as a threat vector.
- Enforce rapid patching cycles for known CVEs, especially those affecting Office components.
- Harden remote‑access controls: limit demo/low‑cost RAT deployments, enforce MFA, and monitor for anomalous remote sessions.
Technical Notes — Abuse vectors include CVE‑2017‑11882 (Office Equation Editor), legacy macro execution, and unencrypted remote‑access protocols in ConnectWise/NetSupport RATs. Attackers leverage these to achieve Remote Code Execution (RCE) and bypass EDR signatures. Source: Cofense Intelligence – Weaponizing Apathy