Just hovering over a PowerPoint link can infect your computer!

A new way to infect your computer, via PowerPoint and simply hovering your mouse over a web link.

It’s a malicious PowerShell script inside a PowerPoint file. Either a .PPSX (Microsoft PowerPoint Open XML Slide Show) or .PPS (PowerPoint Show ) file.

When the PPSX/PPS file is opened, Office will switch to Protected View to protect against infected documents.

Hover over the link in the PowerPoint slide and Protected View will warn with a security notice.

Source: Trend Micro

It’s a clever trick because merely hovering over a link is easy to do and should be an ‘innocent’ action.  A lot of security advice is about not clicking suspicious links.

In this case, the infected file arrives in an email that’s supposed to be an invoice.  You’d hope that an invoice as a PowerPoint attachment  (not Word) would be a ‘red flag’ to any prudent computer user.

Trend Micro has a page describing the attack in detail.  The actual trojan infection has been used in the past. What’s new is the method of getting the malevolent code running on a computer.

Protect yourself with Protected View

Protected View is a way to look at a newly arrived document without fully enabling Office’s features.

You’ll see it when opening an email attachment or document from the web. A notice appears saying ” … it’s safer to stay in Protected View” and that’s absolutely right.

Protected View can be a nuisance but don’t disable it entirely.  It’s your last line of defence against a hacked document and is worth the little trouble it causes.