Word: 3rd party citation add-in in reference tab

🚨 The Signal: Word now integrates third-party citation add-ins directly into the References tab. This change introduces new potential attack vectors through third-party code execution within documents, increasing supply chain risk.

The Impact

All users are affected by increased risk from third-party add-ins, potentially leading to data compromise or system infection.

• End users face increased risk from malicious third-party add-ins.
• Security teams must assess new supply chain risks from integrated citation tools.
• Admins need to review and potentially restrict add-in usage to maintain security posture.
• Organisations face potential data exfiltration or system compromise via untrusted add-ins.

The Action

1. Review existing Microsoft 365 add-in policies for Word via Microsoft 365 admin center > Settings > Org settings > Services > User owned apps and services.
2. Implement or update policies to restrict third-party add-in installation to approved sources only via Microsoft 3365 admin center > Settings > Org settings > Services > Add-ins.
3. Communicate to end-users about the risks of installing unapproved add-ins and provide guidance on approved sources.
4. Monitor Microsoft Purview Audit logs for add-in installations and usage, specifically looking for 'Add-in installed' events.
5. Consider using Application Control (e.g., AppLocker or WDAC) to restrict execution of unapproved add-ins.

Domain: M365-Apps · Impact: high · Workload: M365 Apps · Essential Eight: Application Control, User Application Hardening · ISM: ISM-0843, ISM-1412, ISM-1485, ISM-1486, ISM-1490, ISM-1542, ISM-1544, ISM-1582, ISM-1585, ISM-1656, ISM-1657, ISM-1658, ISM-1659, ISM-1660, ISM-1667, ISM-1668, ISM-1669, ISM-1670, ISM-1823, ISM-1824, ISM-1859, ISM-1860, ISM-1870, ISM-1871