Microsoft is combating a surge in macro-based malware with a new feature that allows system administrators to configure Office 2013 to block Word, Excel, and PowerPoint macros. The capability had previously been introduced in March by Microsoft for its Office 2016 software.
Microsoft said incidents of macro-based malware hiding in Office documents has steadily been on the rise in 2016. In the enterprise, Microsoft reports, 98 percent of Office-targeted threats still use old-school macro-based attacks.
“The enduring appeal for macro-based malware appears to rely on a victim’s likelihood to enable macros. Previous versions of Office include a warning when opening documents that contain macros, but malware authors have become more resilient in their social engineering tactics, luring users to enable macros in good faith and ending up infected,” Microsoft said in May.
Some of those threats have included several new strains of macro attacks including one that distributed Donoff downloader, reported in May by Microsoft’s Malware Protection Center. Other macro-based attacks in the past year have included one targeting Amazon customers with a large Locky spear-phishing campaign. More recently, last month SentinelOne found a new strain of document-based macro malware that evades discovery by lying dormant when it detects a security researcher’s test environment.
With its Office 2013 support announced Wednesday, administrators will be able to configure macro support for Word, Excel and PowerPoint files under the Group Policy Administrative Templates for Office 2013. The feature allows IT administrators to set group or individual policies to either block macros or increase the visual warnings seen by users attempting to enable a macro.
Researchers at Palo Alto Networks said the number of macro-based attacks have been on the decline since peaking earlier this summer. “We’ve seen a slight decrease in the past two months,” said Brad Duncan, threat intelligence analyst. “This feature should mitigate the problem, but only for those enterprises able to implement it. Malicious macros in Office documents will remain an issue for the majority of potential targets,” Duncan told Threatpost.
The uptick in macro-based attacks began earlier this summer. In a study released in May, Palo Alto reported 1.2 million instances of the Bartallex family of malware delivered via malicious macro documents. That was up from last year’s total of 100,000.
“We suspect that macro-based attacks are experiencing a resurgence from the late 1990s. There are a whole new pool of victims that don’t remember how dangerous macros were and are learning the hard way to never trust macros unless sent from a 100 percent reliable source,” ” said Ryan Olson, researcher in an interview with Threatpost in May.