Skip to navigationSkip to content

This malware activates when you hover over a link in Microsoft PowerPoint

A PowerPoint document infected with malware.
Trend Micro
A PowerPoint document infected with malware.
Published Last updated This article is more than 2 years old.

Malware has been popping up in the strangest places lately.

Traditionally, malicious software works its way into computers when users click links or download attachments in phishing emails, or use infected thumb drives. But recent hacking campaigns have used more novel methods. One hid malware in downloadable subtitle files that activated through media players like VLC and Popcorn Time. Another was coded into the pixels of images used in a “malvertising” effort where hackers pay to get infectious ads onto legitimate websites.

Now, researchers at Trend Micro have discovered a trojan horse than activates when users hover their mouse over links and images in Microsoft PowerPoint documents.

The malware is built to steal credentials such as banking information, according to a blog post by Trend Micro, and is capable of “persistence, remote access, network traffic monitoring, and browser manipulation.”

Although the delivery method is new, the malware it injects has been around since 2012.

“In fact,” according to Trend Micro, the malware “was used in a spam campaign in France last 2015, whose spammed messages masqueraded as a letter from the French ministry of Justice.”

Hackers distributed the PowerPoint files using typical spamming methods, sending emails designed to look legitimate to unsuspecting users, targeting industries that include “manufacturing, device fabrication, education, logistics, and pyrotechnics.” The users have to open the PowerPoint files to become infected by the malware—though don’t have to do anything besides hover over the links to activate it.

Trend Micro
A sample of a spam email used to distribute the infected PowerPoint files.

To avoid infection, Trend Micro suggests using PowerPoint’s Protected View, “which Microsoft enables by default, especially to documents downloaded from possibly unsafe locations.” When Protected View is enabled, PowerPoint will issue a warning about the malicious code.

You could also try to totally steer clear of PowerPoint files—some designers and businesspeople argue it’s a fundamentally flawed way to communicate to begin with.

📬 Kick off each morning with coffee and the Daily Brief (BYO coffee).

By providing your email, you agree to the Quartz Privacy Policy.