Hackers have been exploiting macros in Microsoft Office products for years, but now their tactics are changing as Microsoft has begun blocking macros by default.
The typical attack scenario involves phishing via email attachments, such as Word, Excel or PowerPoint documents containing malicious macros infected with malware.
Such documents are common in enterprises, and the Microsoft Office suite is widely used. Macros are meant to add functionality and handle some tasks automatically. The problem is that behind the scenes macros execute code, and that’s an opportunity for hackers.
Advanced users can employ a subset of the commands available in a specific language, such as XL4 (Excel) or VBA (Visual Basic for Applications). Macros remove the hassle of writing VBA or XL4 code, which would likely take more time and effort. However, hackers can use them to embed malicious code.
If they manage to make legitimate users execute their instructions, the victims unwittingly become their partners in crime. It’s not uncommon for hackers to use this approach to start unauthorized sessions and deploy ransomware.
Microsoft is now blocking macros by default, so users have to take steps to enable those macros in documents they trust. It’s not the first time Microsoft has attempted such a change; previous attempts were rolled back due to negative user feedback. Nevertheless, threat actors are already moving to alternative approaches.
See the Top Secure Email Gateway Solutions
Hackers Find Alternatives to Macros
According to Proofpoint, “threat actors are adapting to a post-macro world.” The company has observed a “significant decrease in macro-enabled documents leveraged as attachments in email-based threats,” as shown below:
Proofpoint researchers said Microsoft uses a MOTW (Mark Of The Web) attribute to block VBA macros by default.
If a document contains macros, Microsoft will display the following alert:
The MOTW attribute is added by Windows to files that come from an untrusted location, like browser downloads or email attachments. It works, but hackers can use compression formats like .zip, .rar or .iso files to bypass security checks.
If the compressed file has the MOTW attribute but not the file inside, users can decompress and open infected documents without raising any alert.
Attackers may include deceptive instructions in their mail or even call the victims to trick them into enabling macros. The compressed archives can also be used to deliver payloads such as LNKs (Shell Link shortcuts), DLLs (dynamic link libraries), or .exe files directly.
In addition, MOTW is an NTFS feature and does not apply to NTFS alternatives such as FAT, which is the older version of the file system in Windows but is also supported by all versions.
Many drives are formatted with this old format. Everything that is mounted or extracted from such drives would likely be treated as local files without protection.
Major Shift in the Email Threat Landscape
Proofpoint researchers concluded “this is one of the largest email threat landscape shifts in recent history,” and hackers will continue to use container formats to bypass Microsoft macro security.
Active protection on all endpoints is strongly recommended to detect unusual behaviors and suspicious processes early. These phishing attacks have been largely underestimated for years and frequently used in ransomware attacks.
The shift in initial access does not mean Microsoft’s change is completely ineffective. Everything that can restrict unwanted code execution in the background is a step in the right direction. However, it’s certainly not sufficient in the current threat landscape.
See the best Endpoint Detection & Response (EDR) Solutions
