Skip to navigationSkip to content
A PowerPoint document infected with malware.
Trend Micro
A PowerPoint document infected with malware.

This malware activates when you hover over a link in Microsoft PowerPoint

Keith Collins
By Keith Collins

Tech Reporter

Malware has been popping up in the strangest places lately.

Traditionally, malicious software works its way into computers when users click links or download attachments in phishing emails, or use infected thumb drives. But recent hacking campaigns have used more novel methods. One hid malware in downloadable subtitle files that activated through media players like VLC and Popcorn Time. Another was coded into the pixels of images used in a “malvertising” effort where hackers pay to get infectious ads onto legitimate websites.

Now, researchers at Trend Micro have discovered a trojan horse than activates when users hover their mouse over links and images in Microsoft PowerPoint documents.

The malware is built to steal credentials such as banking information, according to a blog post by Trend Micro, and is capable of “persistence, remote access, network traffic monitoring, and browser manipulation.”

Although the delivery method is new, the malware it injects has been around since 2012.

“In fact,” according to Trend Micro, the malware “was used in a spam campaign in France last 2015, whose spammed messages masqueraded as a letter from the French ministry of Justice.”

Hackers distributed the PowerPoint files using typical spamming methods, sending emails designed to look legitimate to unsuspecting users, targeting industries that include “manufacturing, device fabrication, education, logistics, and pyrotechnics.” The users have to open the PowerPoint files to become infected by the malware—though don’t have to do anything besides hover over the links to activate it.

Trend Micro
A sample of a spam email used to distribute the infected PowerPoint files.

To avoid infection, Trend Micro suggests using PowerPoint’s Protected View, “which Microsoft enables by default, especially to documents downloaded from possibly unsafe locations.” When Protected View is enabled, PowerPoint will issue a warning about the malicious code.

You could also try to totally steer clear of PowerPoint files—some designers and businesspeople argue it’s a fundamentally flawed way to communicate to begin with.

Subscribe to the Daily Brief, our morning email with news and insights you need to understand our changing world.