Packager Activation in Office 365 desktop applications

In response to a growing trend in attacks that involve embedding malicious objects inside Office documents using the Object Packager control, Office is introducing a change to the default activation model for Packager objects in Office 365 applications.

Prior to this update, executables or scripts (e.g. EXE, JS, VBS) embedded using the Object Packager control can activate when a user double clicks on the embedded object within the document. For objects considered high risk by Windows, users will see a security warning as shown below.

If you try to open an object that Windows considers high risk, you'll receive a caution.

If the user clicks “Open”, the object executes with the privileges of the signed in user. Attackers abuse this vector to social engineer users to activate malicious programs embedded inside Office documents by persuading them to click through this warning prompt.

To protect users, Office 365 applications will, by default, block activation of objects considered high risk. The list of extensions blocked will be the same one used by Outlook to block attachments. The list of extensions can be found here: File extensions blocked in OLE package.

What does this behavior look like?

With this update, Office clients will no longer allow the activation of objects that link to extensions that are considered high risk. When a user tries to activate such an object, they will be provided with the following notification:

“Office has blocked access to the following embedded object to keep you safe.”

Block notification for Packager Objects

If an embedded extension is not part of the list of extensions blocked by this mitigation, then the object is activated without any warnings from Office.

Can I customize the extensions being blocked?

Yes, Office provides two Group Policy options that allow an administrator to customize which extensions are blocked. You'll find each of them under Office/Security Settings/.

Allow file extensions for OLE embedding

This policy setting allows you to specify which file extensions Office won’t block when they are embedded as an OLE package in an Office file by using the Object Packager control. If you enable this policy setting, enter the file extensions to allow, separated by semicolons.

For example: exe;vbs;js

Warning: Malicious scripts and executables can be embedded as an OLE package and can cause harm if clicked by the user. If extensions are added to this allow list, they lower the default security of the Office client by opening up attack surface that can be abused by an attacker.

Block additional file extensions for OLE embedding

This policy setting allows you to specify additional file extensions that Office will block when they are embedded as an OLE package in an Office file by using the Object Packager control.

If you enable this policy setting, enter the additional file extensions to block, separated by semicolons.

For example: py;rb

Note: If you add a file extension under both “Allow file extensions for OLE embedding” and “Block file extensions for OLE embedding”, the extension will be blocked.

How do I change this behavior?

To change this behavior for a specific application such as Word or Excel you can create the following registry key: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\<Office application>\Security\PackagerPrompt

Caution: Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

To create the registry key:

  1. Exit any Office applications that you might have open.

  2. Start the Registry Editor by clicking Start (or pressing the Windows key on your keyboard) then typing Regedit and pressing enter.

  3. Locate the following registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\<Office application>\Security\

    Office application should be one of:

    • Word

    • Excel

    • PowerPoint

    • Visio

    • Publisher

  4. Right click the key and add a new REG_DWORD hexidecimal value called PackagerPrompt with one of the following values:

    • 0 – No prompt from Office when user clicks, object executes

    • 1 – Prompt from Office when user clicks, object executes

    • 2 – No prompt, Object does not execute

For more information about this registry key see: https://support.microsoft.com/en-us/kb/926530 

File extensions blocked in OLE package

File name extension

File type

.ade

Access Project Extension (Microsoft)

.adp

Access Project (Microsoft)

.app

Executable Application

.appcontent-ms

Application Content

.application

Application Manifest

.asp

Active Server Page

.bas

BASIC Source Code

.bat

Batch Processing script

.cer

Internet Security Certificate File

.chm

Compiled HTML Help

.cmd

DOS CP/M Command File or Command File for Windows NT

.cnt

Microsoft Help Workshop Application

.com

Command

.cpl

Windows Control Panel Extension (Microsoft)

.crt

Certificate File

.csh

csh Script

.der

DER Encoded X509 Certificate File

.diagcab

Microsoft Support diagnostic tools

.exe

Executable File

.fxp

FoxPro Compiled Source (Microsoft)

.gadget

Windows Vista gadget

.grp

Microsoft program group

.hlp

Windows Help File

.hpj

AppWizard Help Project

.hta

Hypertext Application

.inf

Information or Setup File

.ins

IIS Internet Communications Settings (Microsoft)

.iso

Disc Image File

.isp

IIS Internet Service Provider Settings (Microsoft)

.its

Internet Document Set, Internet Translation

.jar

Java Archive

.jnlp

Java Network Launch Protocol

.js

JavaScript Source Code

.jse

JScript Encoded Script File

.ksh

UNIX Shell Script

.lnk

Windows Shortcut File

.mad

Access Module Shortcut (Microsoft)

.maf

Access (Microsoft)

.mag

Access Diagram Shortcut (Microsoft)

.mam

Access Macro Shortcut (Microsoft)

.maq

Access Query Shortcut (Microsoft)

.mar

Access Report Shortcut (Microsoft)

.mas

Access Stored Procedures (Microsoft)

.mat

Access Table Shortcut (Microsoft)

.mau

Media Attachment Unit

.mav

Access View Shortcut (Microsoft)

.maw

Access Data Access Page (Microsoft)

.mcf

Media Container Format

.mda

Access Add-in (Microsoft) or MDA Access 2 Workgroup (Microsoft)

.mdb

Access Application (Microsoft) or MDB Access Database (Microsoft)

.mde

Access MDE Database File (Microsoft)

.mdt

Access Add-in Data (Microsoft)

.mdw

Access Workgroup Information (Microsoft)

.mdz

Access Wizard Template (Microsoft)

.msc

Microsoft Management Console Snap-in Control File (Microsoft)

.msh

Microsoft Shell

.msh1

Microsoft Shell

.msh2

Microsoft Shell

.mshxml

Microsoft Shell

.msh1xml

Microsoft Shell

.msh2xml

Microsoft Shell

.msi

Windows Installer File (Microsoft)

.msp

Windows Installer Update

.mst

Windows SDX Setup Transform Script

.msu

Windows Update file

.ops

Office Profile Settings File

.osd

Open Software Description

.pcd

Visual Test (Microsoft)

.pif

Windows Program Information File (Microsoft)

.pl

Perl script

.plg

Developer Studio Build Log

.prf

Windows System File

.prg

Program File

.printerexport

Printer backup file

.ps1

Windows PowerShell

.ps1xml

Windows PowerShell

.ps2

Windows PowerShell

.ps2xml

Windows PowerShell

.psc1

Windows PowerShell

.psc2

Windows PowerShell

.psd1

Windows PowerShell

.psdm1

Windows PowerShell

.pst

Microsoft Exchange Address Book File or Outlook Personal Folder File (Microsoft)

.reg

Registry Information/Key for Windows 95/98 or Registry Data File

.scf

Windows Explorer Command

.scr

Windows Screen Saver

.sct

Windows Script Component or FoxPro Screen (Microsoft)

.settingcontent-ms

Setting content

.shb

Windows Shortcut into a Document

.shs

Shell Scrap Object File

.theme

Desktop theme file settings

.tmp

Temporary File or Folder

.url

Internet Location

.vb

VBScript File or Any Visual Basic Source

.vbe

VBScript Encoded Script File

.vbp

Visual Basic Project File

.vbs

VBScript Script File or Visual Basic for Applications Script

.vsmacros

Visual Studio .NET Binary-based Macro Project (Microsoft)

.vsw

Visio Workspace File (Microsoft)

.webpnp

Internet printing file

.website

Pinned site shortcut from Internet Explorer

.ws

Windows Script File

.wsc

Windows Script Component

.wsf

Windows Script File

.wsh

Windows Script Host Settings File

.xbap

Browser Applications

.xll

Excel Add-in

.xnk

Exchange Public Folder Shortcut

Have a question about Office that we didn't answer?

Visit the Microsoft Answers Community to see questions and answers posted by others or get answers to your own questions.

See Also

Insert an object (Excel)

Insert an object in Word or Outlook

Expand your Office skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×