By Shiyin Lin | June 05, 2025
Affected platforms: Microsoft Windows
Impacted parties: Windows Users
Impact: Control and Collect Sensitive Information from a Victim’s Device
Severity level: Critical
FortiGuard Labs recently observed a high-severity phishing campaign targeting old version Office Application users through malicious email attachments. The emails deliver an Excel file designed to exploit the CVE-2017-0199 vulnerability, a known flaw in old version Microsoft Office's OLE (Object Linking and Embedding) functionality. The malware being spread in this campaign is FormBook, an information-stealing malware known for its ability to capture sensitive data, including login credentials, keystrokes, and clipboard information. Upon opening the malicious Excel file, the malware performs a series of operations, ultimately running the FormBook payload.
Phishing Email Initialization
The phishing campaign starts with an email disguised as a sales order urging the recipient to open an attached Excel document. As shown in Figure 1, FortiMail has flagged the email as “[virus detected]” in the Subject line to warn the recipient.
Figure 1: Example of the Phishing Email
CVE-2017-0199
CVE-2017-0199 is a logic vulnerability found in older versions of the Office Application (Office 2007/2010 /2013 /2016). When a user opens the attached Office document targeting this vulnerability, the program sends an HTTP request to a remote server to retrieve a malicious HTA file. The program then uses COM objects to find the application/HTA file handler, which causes the Microsoft HTA application (mshta.exe) to load and execute the malicious script.
