Attackers use socially engineered emails with .ppam file attachments that hide malware that can rewrite Windows registry settings on targeted machines.

The attacker used under-the-radar PowerPoint files to hide malicious executables that can rewrite Windows registry settings to take over an end user’s computer. It’s one of several ways threat actors recently target desktop users via trusted applications they use daily, utilizing emails designed to evade security detection and appear legitimate.

A new investigation from Avanan, a CheckPoint company, has uncovered how a “little-known add-on” in PowerPoint, the .ppam file, is being used to hide malware. Jeremy Fuchs, a cybersecurity researcher and analyst at Avanan, wrote in a report that the .ppam file has bonus commands and custom macros, among other functions. In January, researchers observed attackers delivering socially-engineered emails that included .ppam file attachments with malicious intent.

Email Attack Vector

One email observed in the campaign, for example, purported to be sending the recipient a purchase order. The attached .ppam file – named PO04012022 to appear legitimate and included a malicious executable, Fuchs said. The payload executed on the computer has many functions on the end user’s machine which are not authorized by the user, including installing new programs, which can create and open new processes, changing file attributes, and dynamically calling imported functions.

By combining the potential urgency of a purchase order email, along with a dangerous file, this attack packs a one-two punch that can devastate an end-user and a company,” Fuchs wrote.

The campaign allows attackers to bypass a computer’s existing safety, in this case, the security provided by Google, with a file that is rarely used and thus would not trip in an email scanner.

Plus, it shows the potential threats of files and can be used to wrap any malicious file, including ransomware.

Targeting Desktop Users

The latest scam is one of several new email-based campaigns uncovered by researchers recently to target desktop users working on commonly used word-processing and collaboration apps like Microsoft Office, Google Docs, and Adobe Creative Cloud. Attackers typically use email to deliver malicious files or links that steal user information.

In November, reports surfaced that scammers used a legitimate Google Drive collaboration feature to trick users into clicking on malicious links in emails or push notifications that invited people to share a Google document. The links directed users to websites that stole their credentials.

Then a wave of phishing attacks that Avanan researchers identified in December targeted mainly Outlook users, leveraging the “Comments” feature of Google Docs to send malicious links that also lifted credentials from victims.

Last month, the Avanan team reported on another scam that researchers observed in December, in which threat actors were found creating accounts within the Adobe Cloud suite and sending images and PDFs that appear legitimate but instead deliver malware to Office 365 and Gmail users.


One is to install email protection that downloads all files into a sandbox and inspects them for malicious content.

Another is to take extra security steps such as dynamically analyzing emails for indicators of compromise (IoCs) to ensure the safety of messages coming into the corporate network. SPF, Sender Policy Framework is an email authentication technique used to prevent spammers and other bad actors from sending messages spoofed to come from another domain name.


Corporations should also continuously encourage end-users in their networks to contact their IT department if they see an unfamiliar file come over via email.