Skip to main content
Microsoft Security Intelligence
Published Aug 20, 2019 | Updated Sep 13, 2021

TrojanDownloader:O97M/Donoff.SA

Detected by Microsoft Defender Antivirus

Aliases: No associated aliases

Summary

Microsoft Defender Antivirus detects and removes this threat.

This threat uses a maliciously-crafted Microsoft Office document to download additional payload. It can arrive on your device as spam email attachment, usually as a Word file (.doc).

An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the potential victim to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. 

Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protections for this known vulnerability. Keep your antimalware products up to date. Customers who utilize automatic updates do not need to take additional action. Enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments. Microsoft Defender for Endpoint alerts will be displayed as: “Suspicious Cpl File Execution”.

To learn more about mitigating DDE attack scenarios, CVE-2021-40444 - Security Update Guide - Microsoft - Microsoft MSHTML Remote Code Execution Vulnerability  

Guidance for end users

Take these steps to help prevent malware infection on your computer.

Guidance for enterprise administrators

Apply these mitigations to reduce the impact of this threat.

  • Submit spam and non-spam messages to Microsoft for analysis.
  • Follow the appropriate Exchange Online Protection instructions to suit your business needs.
  • Learn about how Microsoft Defender for Office 365 can help you block spam using machine learning. See anti-malware protectionanti-spam protectionanti-phishing protectionanti-spoofing protection for details.
  • Be aware of the dangers in opening suspicious emails. Don't open email attachments or links from untrusted sources.
  • Microsoft Defender SmartScreen integrates with Microsoft Edge to block malicious websites, including phishing sites, scam sites, and other malicious sites. It’s built-in and enabled by default in Microsoft email programs. On the other hand, Network protection blocks connections to malicious domains and IP addresses.
  • Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
  • Turn on tamper protection features to prevent attackers from stopping security services.
  • Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
  • Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
  • Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
  • Use device discovery to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint.
  • To reduce the attack surface, Microsoft 365 Defender customers can turn on attack surface reduction rules to prevent common attack techniques used in this attack
Follow us