1. Home
  2. Techniques
  3. Enterprise
  4. Office Application Startup
  5. Add-ins

Office Application Startup: Add-ins

ID Name
T1137.001 Office Template Macros
T1137.002 Office Test
T1137.003 Outlook Forms
T1137.004 Outlook Home Page
T1137.005 Outlook Rules
T1137.006 Add-ins

Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. [1] There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. [2][3]

Add-ins can be used to obtain persistence because they can be set to execute code when an Office application starts.

ID: T1137.006
Sub-technique of:  T1137
Tactic: Persistence
Platforms: Office Suite, Windows
Version: 1.2
Created: 07 November 2019
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S0268 Bisonal

Bisonal has been loaded through a .wll extension added to the %APPDATA%\microsoft\word\startup\ repository.[4]

S1143 LunarLoader

LunarLoader has the ability to use Microsoft Outlook add-ins to establish persistence. [5]
S1142 LunarMail

LunarMail has the ability to use Outlook add-ins for persistence.[5]
G0019 Naikon

Naikon has used the RoyalRoad exploit builder to drop a second stage loader, intel.wll, into the Word Startup folder on the compromised host.[6]

Mitigations

ID Mitigation Description
M1040 Behavior Prevention on Endpoint

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes and from writing potentially malicious executable content to disk. [7]

Detection Strategy

ID Name Analytic ID Analytic Description
DET0050 Detect Persistence via Malicious Office Add-ins AN0137

An adversary writes or drops a malicious Office Add-in (e.g., WLL, XLL, COM) to a trusted directory or modifies registry keys to load malicious add-ins on Office application launch. Upon user opening Word or Excel, the add-in is automatically loaded, triggering execution of the payload, often spawning scripting engines or anomalous child processes.
AN0138

Malicious Office add-ins loaded via VSTO, COM, or VBA auto-load paths. Upon launch of Word/Excel/Outlook, the add-in executes code without user action. Add-in resides in trusted directory or registered via Office COM/VBE subsystem. Behavior includes unsigned add-in execution, anomalous load context, or add-in spawning interpreter process.

References

  1. Microsoft. (n.d.). Add or remove add-ins. Retrieved July 3, 2017.
  2. Knowles, W. (2017, April 21). Add-In Opportunities for Office Persistence. Retrieved November 17, 2024.
  3. Caban, D. and Hirani, M. (2018, October 3). You’ve Got Mail! Enterprise Email Compromise. Retrieved November 17, 2024.
  4. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
  1. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
  2. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
  3. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.