Microsoft’s PPT add-on adds and hides more than it lets on. Security researchers at Avanan, a CheckPoint company, discovered that attackers are using the add-on feature in Microsoft PowerPoint to insert the .ppam file to hide malware.

Avanan mentioned that hackers are showing a generic purchase order email, a common phishing message. Hackers are using it to hide a malicious process that will overwrite the registry process once it is installed. Avanan’s researchers revealed that they have been seeing this phenomenon since the beginning of the new year. They described the new hacking campaign as “.ppam executables.”

Microsoft ransomware

Collaborative features in an app are like manna to cybercriminals.

The researchers mentioned that Microsoft PPT’s little-known add-on has bonus commands and custom macros among other functions. Hackers are using this feature to hide malware that can damage your data. Jeremy Fuchs, one of the key experts at Avanan stated that, “the file will overwrite the registry settings in Microsoft’s computer system (Windows), allowing the attacker to take control over the computer, and keep itself active by persistently residing in the computer’s memory.” Experts believe that hackers could exploit this vulnerability as the Microsoft PPT add-on is not very popular. They are worried that this can be exploited to execute malicious campaigns and massive ransomware breaches.

They believe that the attacks are made possible due to the company’s collaboration suite which makes it easier for criminals to send their ransomware, malware, and other cyberattacks to unsuspecting victims.

Past attacks

According to Harvard Business Review, in 2020, the ransom paid by companies grew by 300%.

In 2021, cybercrime rose to new heights as hackers continued to target critical infrastructure as more and more people opted to continue working from home. Governments have taken note of the rise in attacks, and have started putting stringent laws in place to combat this growing menace.  Ransomware offers a low-risk, high-profit model that is irresistible to attackers.

According to the U.S. Government’s Cybersecurity and Infrastructure Assurance Agency (CISA): “Ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Ransomware actors often target and threaten to sell or leak exfiltrated data or authentication information if the ransom is not paid.”


In January, hackers redirected crypto buyers to a fake website that advertised NFTs by Amazon. The scheme played on the buyer’s fear-of-missing-out to give them less time to verify facts before making a purchase. As the token were non-existent, the scammers pocketed the money.

One hacker might develop a type of malware that attacks a certain category of people. After gleaning the required information, they might use the data to exhort money or steal intellectual property from their devices.

One of the biggest examples of how dangerous ransomware can be is the breach of the Colonial Pipeline on May 7, 2021. The pipeline which carries gasoline and jet fuel was attacked by cybercriminals who targeted its computer operated machinery that controlled the pipeline. The hackers demanded a payment of 75 bitcoin or $4.4 million to help the company restore the system. It is also believed that the hackers, suspected to be the DarkSide, stole 100 GB of data before the attack.

Researchers urge users of collaborative apps like Microsoft Office, Google Docs, and Adobe Creative Cloud to be wary of clicking on links and push notifications.

Word of Caution

It is extremely important to invest in good resources to prevent such attacks. Cyber security experts rec doing thorough research before downloading free extensions and add-ons. They also suggest having typical precautions like having antivirus software from a reputed company in place for personal devices. It can help detect, prevent, and delete viruses from your PC or laptop. In an increasingly digital world, any compromise on your digital identity can result in big financial losses and data loss.