PhantomBlu Cyberattackers Backdoor Microsoft Office Users via OLE

The cyber campaign uses social engineering and sophisticated evasion tactics, including a novel malware-delivery method, to compromise hundreds of Microsoft Office users.

A malicious email campaign is targeting hundreds of Microsoft Office users in US-based organizations to deliver a
remote access trojan (RAT)
that evades detection, partially by showing up as legitimate software.
In a campaign dubbed PhantomBlu by researchers at Perception Point, attackers impersonate an accounting service in email messages that invite people to download a Microsoft Office Word file, purportedly to view their monthly salary report. Targets receive detailed instructions for accessing the password-protected report file, which ultimately delivers the notorious
NetSupport RAT
, malware spun off from the legitimate
NetSupport Manager
, a legitimately useful remote technical support tool. Threat actors previously have used the RAT to footprint systems before delivering ransomware on them.
Engineered for stealthy surveillance and control, it transforms remote administration into a platform for cyber attacks and data theft, Perception Point Web security expert Ariel Davidpur
revealed
in a blog post published this week.
Once installed on a victims endpoint, NetSupport can monitor behavior, capture keystrokes, transfer files, take over system resources, and move to other devices within the network, all under the guise of a benign remote support software, he wrote.
The campaign represents a novel delivery method for NetSupport RAT via manipulation of Object Linking and Embedding (OLE) templates. Its a nuanced exploitation method that uses legitimate Microsoft Office document templates to execute malicious code while evading detection, Davidpur wrote.
If a user downloads the.docx file attached to the campaigns messages and uses the accompanying password to access it, the content of the document further instructs targets to click enable editing and then to click the image of a printer embedded on the document in order to view their salary graph.
The printer image is actually an OLE package, a legitimate feature in Microsoft Windows that allows embedding and linking to documents and other objects. Its legitimate use enables users to create compound documents with elements from different programs, Davidpur wrote.
Via OLE template manipulation, the threat actors exploit document templates to execute malicious code without detection by hiding the payload outside of the document. The campaign is the first time this process was used in an email to delivery NetSupport RAT, according to Perceptive Point.
This advanced technique bypasses traditional security systems by hiding the malicious payload outside the document, only executing upon user interaction, Davidpur explained.
Indeed, by using encrypted .doc files to deliver the NetSupport RAT via OLE template and template injection (CWE T1221), the PhantomBlu campaign departs from the conventional tactics, techniques, and procedures (TTPs) commonly associated with NetSupport
RAT deployments
.
Historically, such campaigns have relied more directly on executable files and simpler phishing techniques, Davidpur wrote. The OLE method demonstrates the campaigns innovation to blend sophisticated evasion tactics with social engineering, he wrote.
In their investigation of the campaign, the Perception Point researchers dissected the delivery method step by step, discovering that, like the RAT itself, the payload
hides behind legitimacy
in an effort to fly under the radar.
Specifically, Perceptive Point analyzed the return path and message ID of the phishing emails, observing the attackers use of the
SendInBlue
or Brevo service. Brevo is a legitimate email delivery platform that offers services for marketing campaigns.
This choice underscores the attackers preference for leveraging reputable services to mask their malicious intent, Davidpur wrote.
Since PhantomBlu uses email as its method to deliver malware, the usual techniques to avoid compromise — such as instructing and
training employees
about how to spot and report potentially malicious emails — apply.
As a general rule, people should never click on email attachments unless they come from a trusted source or someone that users correspond with regularly, experts say. Moreover, corporate users especially should report suspicious messages to IT administrators, as they may indicate signs of a malicious campaign.
To further assist admins in identifying PhantomBlu, Perceptive Point included a comprehensive list of TTPs, indicators of compromise (IOCs), URLs and hostnames, and IP addresses associated with the campaign in the blog post.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
PhantomBlu Cyberattackers Backdoor Microsoft Office Users via OLE