{
	"id": "bdc544af-8b22-43d5-8c9d-fcb9636bebca",
	"created_at": "2026-04-06T00:21:35.664277Z",
	"updated_at": "2026-04-10T03:21:13.872465Z",
	"deleted_at": null,
	"sha1_hash": "08f321f34ff5ec4999f0ec49d549b1b27ddc69cf",
	"title": "Attack on Critical Infrastructure Leverages Template Injection",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 746433,
	"plain_text": "Attack on Critical Infrastructure Leverages Template Injection\r\nBy Sean Baird\r\nPublished: 2017-07-07 · Archived: 2026-04-05 13:29:39 UTC\r\nFriday, July 7, 2017 16:34\r\nExecutive Summary\r\nAttackers are continually trying to find new ways to target users with malware sent via email. Talos has identified\r\nan email-based attack targeting the energy sector, including nuclear power, that puts a new spin on the classic\r\nword document attachment phish. Typically, malicious Word documents that are sent as attachments to phishing\r\nemails will themselves contain a script or macro that executes malicious code. In this case, there is no malicious\r\ncode in the attachment itself. The attachment instead tries to download a template file over an SMB connection so\r\nthat the user's credentials can be silently harvested. In addition, this template file could also potentially be used to\r\ndownload other malicious payloads to the victim's computer.\r\nBackground\r\nSince at least May 2017, Talos has observed attackers targeting critical infrastructure and energy companies\r\naround the world, primarily in Europe and the United States. These attacks target both the critical infrastructure\r\nproviders, and the vendors those providers use to deliver critical services. Attacks on critical infrastructure are not\r\na new concern for security researchers, as adversaries are keen to understand critical infrastructure ICS networks\r\nfor reasons unknown, but surely nefarious.\r\nOne objective of this most recent attack appears to be to harvest credentials of users who work within critical\r\ninfrastructure and manufacturing industries. Using a new twist on an old attack method, a clever adversary stole\r\ncredentials from their victims by sending malicious word documents via email. These documents when opened,\r\nattempt to retrieve a template file from an attacker controlled external SMB server.\r\nTechnical Investigation\r\nIn the midst of recent attack trends and global campaigns, it has become easier to pass over simple techniques that\r\nserve attackers' best interests for years. As Talos has recently observed, sometimes new takes on reliable\r\ntechniques can make them even more effective.\r\nWhile investigating a recently reported attack and pivoting on the data provided, we landed on several interesting\r\nDOCX samples which were delivered as attachments in malicious spam emails. As shown below, these documents\r\noften claimed to be environmental reports or resumés/CVs.\r\nhttps://blog.talosintelligence.com/2017/07/template-injection.html\r\nPage 1 of 9\n\nSample email containing a malicious document\r\nOne DOCX sample used during this attack\r\nhttps://blog.talosintelligence.com/2017/07/template-injection.html\r\nPage 2 of 9\n\nAnother DOCX sample used during this attack\r\nApplying social engineering techniques to craft convincing documents to entice targets to open them is a\r\ntechnique frequently used by attackers. We have no evidence that these documents are anything other than\r\nmalicious. Additionally, we have no information to suggest that any entity mentioned in any of these documents\r\nhave themselves been subject to an attack as part of this campaign.\r\nOur first expectation was that we would find some malicious VBA macros or embedded scripting within the\r\nsample itself. Examination of the VBA code provided no such leads:\r\nAnalysis of the document using oletools\r\nWe confirmed this by running the sample against another similar tool:\r\nhttps://blog.talosintelligence.com/2017/07/template-injection.html\r\nPage 3 of 9\n\nFurther analysis of the DOCX\r\nAgain, none of the usual indicators of an embedded binary that would contain such code appeared in our analysis.\r\nThe sample had been acquired from our sandbox by researching an IP address related to the attack, but the server\r\nwas no longer accepting such requests at the time of the sandbox run. While we investigated other leads, we set up\r\nan isolated environment with a server listening on TCP 80 to determine what the document was trying to obtain, if\r\nanything.\r\nAt the loading screen for Word, we noticed something interesting:\r\nhttps://blog.talosintelligence.com/2017/07/template-injection.html\r\nPage 4 of 9\n\nWord attempting to load a template\r\nThe document was trying to pull down a template file from a particular IP, but no connection over TCP 80 had yet\r\nreached our decoy server. Sure enough, our live capture showed a failed handshake over TCP 445 instead. It was\r\nnow time to manually parse the contents of the document for the IP address in question. Instead of code, we found\r\nan instance of template injection:\r\nInstance of template injection found in the document\r\nOur initial intelligence concerning the attack suggested that a malicious SMB server was being used to silently\r\nharvest user credentials. As conveyed in the sample, we can now see that an injected template was used to\r\nestablish such a connection to an external server over SMB. Still, this did not explain why the same sample had\r\nattempted a session over TCP 80. After further research, we determined that the sandbox VM had an established\r\npreference over SMB when it came to this connection type. In short, due to the network preference of the host, a\r\nWebDAV connection was attempted over an SMB session when requesting the template. This was confirmed with\r\nanother related sample when another external server was still listening on TCP 80 but no longer serving the\r\ntemplate.\r\nhttps://blog.talosintelligence.com/2017/07/template-injection.html\r\nPage 5 of 9\n\nSandbox PCAP of the sample\r\nThe only entity left to move on from the template settings was the specific Relationship ID that was present in\r\nword/_rels/settings.xml.rels within the sample: rId1337. Researching this Relationship ID led us to the GitHub\r\npage of a phishing tool named Phishery which happened to use the exact same ID in its template injection:\r\nhttps://blog.talosintelligence.com/2017/07/template-injection.html\r\nPage 6 of 9\n\nGitHub page of the Phishery tool\r\nSuprisingly, the same ID is found at the bottom of the aforementioned Go source:\r\n\"rId1337\" found in the Phishery tool, line 105.\r\nPhishery, however, does NOT rely on a malicious SMB server. Rather, the connection is handled over HTTPS,\r\nand the user credentials are harvested via Basic Authentication with a prompt for the credentials. Such a prompt\r\nwas not needed nor seen for samples requesting the template over SMB. The fact that both this tool and the\r\nreported attack rely on template injection with the exact same Relationship ID suggests one of the following:\r\n1. Mere coincidence (always a possibility);\r\n2. The attackers took notice of this tool and either modified it or developed their attack from scratch while sticking\r\nto the same concept used by the tool; or\r\nhttps://blog.talosintelligence.com/2017/07/template-injection.html\r\nPage 7 of 9\n\n3. The attackers used the same Relationship ID to thwart analysis of the attack itself (remember: our first\r\ninclination was to follow-up on the failed connection attempts over TCP 80).\r\nAt this time, there is no evidence to confirm any of the three possibilities. However, the attackers' reliance on a\r\nsuccessful SMB session stemming from outbound traffic over TCP 445 further confirms that organizations are still\r\nfailing to properly block such egress traffic to public hosts. With no credential prompt needed for the SMB\r\nvariation, we can come to understand the simplicity and effectiveness of such a technique. If an attacker is able to\r\ncompromise a host and run such a server internally, the situation becomes significantly more grave.\r\nFurthermore, since the attacker controlled SMB server was down when we analyzed these samples, it is not\r\npossible to determine the ultimate payloads (if any) that could have been dropped by the template being\r\ndownloaded. As we have seen with recent attacks, the intent of an attack is not always obvious. Forcing SMB\r\nrequests to an external server has been a known security vulnerability for many years. Without further information\r\nit is impossible to conclude what the true scope of this attack was or what malicious payloads could have been\r\ninvolved.\r\nConclusion\r\nTalos responded to these attacks by reaching out to known affected customers and ensuring that they were aware\r\nof and capable of responding to the threat. It also illustrates the importance of controlling your network traffic and\r\nnot allowing outbound protocols such as SMB except where specifically required for your environment.\r\nAdditionally, a number of ClamAV signatures and email rules were written in order to ensure that threats\r\nleveraging this Office template injection technique are blocked in the future.\r\nCoverage\r\nClamAV signatures created to identify this attack:\r\nDoc.Tool.Phishery-6331699-0\r\nDoc.Downloader.TemplateInjection-6332119-0\r\nDoc.Downloader.TemplateInjection-6332123-0\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2017/07/template-injection.html\r\nPage 8 of 9\n\nAdvanced Malware Protection (AMP) blocks the malicious word documents used by these threat actors.\r\nCWS,WSA, andUmbrella can help identify outbound connections used by these threat actors.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nAMP Threat Grid helps identify malicious binaries and builds protection into all Cisco Security products.\r\nIOCs\r\nDue to the nature in which we obtained intelligence related to these attacks, we are unable to share all of the IOCs\r\nrelated to this event; however, we wanted to share as much as possible in the spirit of transparency and\r\ncollaboration.\r\nMalicious Documents\r\nFilename: Report03-23-2017.docx\r\nSHA256: 93cd6696e150caf6106e6066b58107372dcf43377bf4420c848007c10ff80bc9\r\nFilename: Controls Engineer.docx\r\nSHA256: (1) b02508baf8567e62f3c0fd14833c82fb24e8ba4f0dc84aeb7690d9ea83385baa\r\n                (2) 3d6eadf0f0b3fb7f996e6eb3d540945c2d736822df1a37dcd0e25371fa2d75a0\r\n                (3) ac6c1df3895af63b864bb33bf30cb31059e247443ddb8f23517849362ec94f08\r\nRelated IP Addresses\r\n184[.]154[.]150[.]66\r\n5[.]153[.]58[.]45\r\n62[.]8[.]193[.]206\r\nSource: https://blog.talosintelligence.com/2017/07/template-injection.html\r\nhttps://blog.talosintelligence.com/2017/07/template-injection.html\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MITRE"
	],
	"references": [
		"https://blog.talosintelligence.com/2017/07/template-injection.html"
	],
	"report_names": [
		"template-injection.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434895,
	"ts_updated_at": 1775791273,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/08f321f34ff5ec4999f0ec49d549b1b27ddc69cf.pdf",
		"text": "https://archive.orkl.eu/08f321f34ff5ec4999f0ec49d549b1b27ddc69cf.txt",
		"img": "https://archive.orkl.eu/08f321f34ff5ec4999f0ec49d549b1b27ddc69cf.jpg"
	}
}