In response to a growing trend in attacks that involve embedding malicious objects inside Office documents using the Object Packager control, Office is introducing a change to the default activation model for Packager objects in Office 365 applications.
Prior to this update, executables or scripts (e.g. EXE, JS, VBS) embedded using the Object Packager control can activate when a user double clicks on the embedded object within the document. For objects considered high risk by Windows, users will see a security warning as shown below.
If the user clicks “Open”, the object executes with the privileges of the signed in user. Attackers abuse this vector to social engineer users to activate malicious programs embedded inside Office documents by persuading them to click through this warning prompt.
To protect users, Office 365 applications will, by default, block activation of objects considered high risk. The list of extensions blocked will be the same one used by Outlook to block attachments. The list of extensions can be found here: File extensions blocked in OLE package.
What does this behavior look like?
With this update, Office clients will no longer allow the activation of objects that link to extensions that are considered high risk. When a user tries to activate such an object, they will be provided with the following notification:
“Office has blocked access to the following embedded object to keep you safe.”
If an embedded extension is not part of the list of extensions blocked by this mitigation, then the object is activated without any warnings from Office.
Can I customize the extensions being blocked?
Yes, Office provides two Group Policy options that allow an administrator to customize which extensions are blocked. You'll find each of them under Office/Security Settings/.
Allow file extensions for OLE embedding
This policy setting allows you to specify which file extensions Office won’t block when they are embedded as an OLE package in an Office file by using the Object Packager control. If you enable this policy setting, enter the file extensions to allow, separated by semicolons.
For example: exe;vbs;js
Warning: Malicious scripts and executables can be embedded as an OLE package and can cause harm if clicked by the user. If extensions are added to this allow list, they lower the default security of the Office client by opening up attack surface that can be abused by an attacker.
Block additional file extensions for OLE embedding
This policy setting allows you to specify additional file extensions that Office will block when they are embedded as an OLE package in an Office file by using the Object Packager control.
If you enable this policy setting, enter the additional file extensions to block, separated by semicolons.
For example: py;rb
Note: If you add a file extension under both “Allow file extensions for OLE embedding” and “Block file extensions for OLE embedding”, the extension will be blocked.
How do I change this behavior?
To change this behavior for a specific application such as Word or Excel you can create the following registry key: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\<Office application>\Security\PackagerPrompt
Caution: Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
To create the registry key:
-
Exit any Office applications that you might have open.
-
Start the Registry Editor by clicking Start (or pressing the Windows key on your keyboard) then typing Regedit and pressing enter.
-
Locate the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\<Office application>\Security\
Office application should be one of:
-
Word
-
Excel
-
PowerPoint
-
Visio
-
Publisher
-
-
Right click the key and add a new REG_DWORD hexidecimal value called PackagerPrompt with one of the following values:
-
0 – No prompt from Office when user clicks, object executes
-
1 – Prompt from Office when user clicks, object executes
-
2 – No prompt, Object does not execute
-
For more information about this registry key see: https://support.microsoft.com/en-us/kb/926530
File extensions blocked in OLE package
|
File name extension |
File type |
|---|---|
|
.ade |
Access Project Extension (Microsoft) |
|
.adp |
Access Project (Microsoft) |
|
.app |
Executable Application |
|
.appcontent-ms |
Application Content |
|
.application |
Application Manifest |
|
.asp |
Active Server Page |
|
.bas |
BASIC Source Code |
|
.bat |
Batch Processing script |
|
.cer |
Internet Security Certificate File |
|
.chm |
Compiled HTML Help |
|
.cmd |
DOS CP/M Command File or Command File for Windows NT |
|
.cnt |
Microsoft Help Workshop Application |
|
.com |
Command |
|
.cpl |
Windows Control Panel Extension (Microsoft) |
|
.crt |
Certificate File |
|
.csh |
csh Script |
|
.der |
DER Encoded X509 Certificate File |
|
.diagcab |
Microsoft Support diagnostic tools |
|
.exe |
Executable File |
|
.fxp |
FoxPro Compiled Source (Microsoft) |
|
.gadget |
Windows Vista gadget |
|
.grp |
Microsoft program group |
|
.hlp |
Windows Help File |
|
.hpj |
AppWizard Help Project |
|
.hta |
Hypertext Application |
|
.inf |
Information or Setup File |
|
.ins |
IIS Internet Communications Settings (Microsoft) |
|
.iso |
Disc Image File |
|
.isp |
IIS Internet Service Provider Settings (Microsoft) |
|
.its |
Internet Document Set, Internet Translation |
|
.jar |
Java Archive |
|
.jnlp |
Java Network Launch Protocol |
|
.js |
JavaScript Source Code |
|
.jse |
JScript Encoded Script File |
|
.ksh |
UNIX Shell Script |
|
.lnk |
Windows Shortcut File |
|
.mad |
Access Module Shortcut (Microsoft) |
|
.maf |
Access (Microsoft) |
|
.mag |
Access Diagram Shortcut (Microsoft) |
|
.mam |
Access Macro Shortcut (Microsoft) |
|
.maq |
Access Query Shortcut (Microsoft) |
|
.mar |
Access Report Shortcut (Microsoft) |
|
.mas |
Access Stored Procedures (Microsoft) |
|
.mat |
Access Table Shortcut (Microsoft) |
|
.mau |
Media Attachment Unit |
|
.mav |
Access View Shortcut (Microsoft) |
|
.maw |
Access Data Access Page (Microsoft) |
|
.mcf |
Media Container Format |
|
.mda |
Access Add-in (Microsoft) or MDA Access 2 Workgroup (Microsoft) |
|
.mdb |
Access Application (Microsoft) or MDB Access Database (Microsoft) |
|
.mde |
Access MDE Database File (Microsoft) |
|
.mdt |
Access Add-in Data (Microsoft) |
|
.mdw |
Access Workgroup Information (Microsoft) |
|
.mdz |
Access Wizard Template (Microsoft) |
|
.msc |
Microsoft Management Console Snap-in Control File (Microsoft) |
|
.msh |
Microsoft Shell |
|
.msh1 |
Microsoft Shell |
|
.msh2 |
Microsoft Shell |
|
.mshxml |
Microsoft Shell |
|
.msh1xml |
Microsoft Shell |
|
.msh2xml |
Microsoft Shell |
|
.msi |
Windows Installer File (Microsoft) |
|
.msp |
Windows Installer Update |
|
.mst |
Windows SDX Setup Transform Script |
|
.msu |
Windows Update file |
|
.ops |
Office Profile Settings File |
|
.osd |
Open Software Description |
|
.pcd |
Visual Test (Microsoft) |
|
.pif |
Windows Program Information File (Microsoft) |
|
.pl |
Perl script |
|
.plg |
Developer Studio Build Log |
|
.prf |
Windows System File |
|
.prg |
Program File |
|
.printerexport |
Printer backup file |
|
.ps1 |
Windows PowerShell |
|
.ps1xml |
Windows PowerShell |
|
.ps2 |
Windows PowerShell |
|
.ps2xml |
Windows PowerShell |
|
.psc1 |
Windows PowerShell |
|
.psc2 |
Windows PowerShell |
|
.psd1 |
Windows PowerShell |
|
.psdm1 |
Windows PowerShell |
|
.pst |
Microsoft Exchange Address Book File or Outlook Personal Folder File (Microsoft) |
|
.reg |
Registry Information/Key for Windows 95/98 or Registry Data File |
|
.scf |
Windows Explorer Command |
|
.scr |
Windows Screen Saver |
|
.sct |
Windows Script Component or FoxPro Screen (Microsoft) |
|
.settingcontent-ms |
Setting content |
|
.shb |
Windows Shortcut into a Document |
|
.shs |
Shell Scrap Object File |
|
.theme |
Desktop theme file settings |
|
.tmp |
Temporary File or Folder |
|
.url |
Internet Location |
|
.vb |
VBScript File or Any Visual Basic Source |
|
.vbe |
VBScript Encoded Script File |
|
.vbp |
Visual Basic Project File |
|
.vbs |
VBScript Script File or Visual Basic for Applications Script |
|
.vsmacros |
Visual Studio .NET Binary-based Macro Project (Microsoft) |
|
.vsw |
Visio Workspace File (Microsoft) |
|
.webpnp |
Internet printing file |
|
.website |
Pinned site shortcut from Internet Explorer |
|
.ws |
Windows Script File |
|
.wsc |
Windows Script Component |
|
.wsf |
Windows Script File |
|
.wsh |
Windows Script Host Settings File |
|
.xbap |
Browser Applications |
|
.xll |
Excel Add-in |
|
.xnk |
Exchange Public Folder Shortcut |
Have a question about Office that we didn't answer?
Visit the Microsoft Answers Community to see questions and answers posted by others or get answers to your own questions.
