Threat Update

Threat actors are creating socially engineered emails containing PowerPoint file attachments with the extension “.ppam” to hide malicious executables which can rewrite Windows registry settings to gain control over end user’s computers. It is one of many stealthy tactics used to target desktop users while evading security detection and appearing legitimate. FinGarde recommends that all end users remain vigilant and report any suspicious emails to us before accessing any attachments.

Technical Detail & Additional Information


In October 2021, reports revealed that attackers were using .ppam files to disguise ransomware. The .ppam file was designed to encrypt files and rename all encrypted files by adding the .ppam extension. At the start of 2022, researchers observed a phishing campaign where attackers are sending socially engineered emails to their target and attaching these .ppam files. While the .ppam files appear legitimate, they include malicious payloads that can execute several functions on an end user’s computer without their authorization. These functions can install new programs that can create and open new processes, change file attributes, and dynamically call imported functions. This campaign enabled attackers to evade existing security measures with a file that is rarely used and won’t set off any alarms.


This phishing campaign is one of many new email-based campaigns discovered by researchers where attackers are targeting desktop users that leverage word-processing and collaboration apps like the Microsoft Office suite. PowerPoint is a commonly used Microsoft program which can utilize the .ppam file for additional functionality to develop slideshow presentations. Since these phishing emails are going undetected by security engines, it is important that all end users use caution before attempting to access email attachments. Typically, attackers use emails to deliver malicious files or links to steal user information.


Attackers are utilizing email services to deliver these malicious payloads to end-users. Without proper training on how to handle these suspicious emails, end-users are likely to click on the attachment and execute the malicious payload. Once the computer is infected, the attackers have unauthorized control over the end-user computer and can potentially gain access to the confidential information, spread across the environment, or add/remove programs as they see fit.


FinGarde recommends that all of our clients implement training sessions for their end-users on how to identify and report phishing emails. Additionally, security administrators should implement email protection which can download all files into a sandbox and review them for malicious content.


For more in-depth information about the recommendations, please visit the following links:

If you have any questions, please contact us.

Get Weekly Cybersecurity Tech Tips

Get Weekly Cybersecurity Tech Tips

Sign up to recieve up to-to-date Cybersecurity tips to protect your RIA.

You're on the list! We will keep you updated.