Threat Actors Pivot Around Microsoft’s Macro-Blocking in Office

Cybercriminals turn to container files and other tactics to get around the company’s attempt to thwart a popular way to deliver malicious phishing payloads.

Threat actors are finding their way around Microsoft’s default blocking of macros in its Office suite, using alternative files to host malicious payloads now that a primary channel for threat delivery is being cut off, researchers have found.

The use of macros-enabled attachments by threat actors decreased about 66 percent between October 2021 and June 2022, according to new data by Proofpoint revealed in a blog post Thursday. The beginning of the decrease coincided with Microsoft’s plan to start blocking XL4 macros by default for Excel users, followed up with the blocking of VBA macros by default across the Office suite this year.

Threat actors, demonstrating their typical resilience, so far appear undaunted by the move, which marks “one of the largest email threat landscape shifts in recent history,” researchers Selena Larson, Daniel Blackford and others on the Proofpoint Threat Research Team, said in the a post.Infosec Insiders Newsletter

Though cybercriminals for now continue to employ macros in malicious documents used in phishing campaigns, they also have begun to pivot around Microsoft’s defense strategy by turning to other file types as vessels for malware—namely, container files such as ISO and RAR attachments as well as Windows Shortcut (LNK) files, they said.

Indeed, in the same eight-month time frame in which the use of macros-enabled documents decreased, the number of malicious campaigns leveraging container files including ISO, RAR, and LNK  attachments increased nearly 175 percent, researchers found.

“It is likely threat actors will continue to use container file formats to deliver malware, while relying less on macro-enabled attachments,” they noted.

Macros No More?

Macros, which are used for automating frequently used tasks in Office, have been among the most popular ways to deliver malware in malicious email attachments for at least the better part of a decade, as they can be allowed with a simple, single mouse-click on the part of the user when prompted.

Macros long have been disabled by default in Office, though users always could enable them—which has allowed threat actors to weaponize both VBA macros, which can automatically run malicious content when macros are enabled in Office apps, as well as Excel-specific XL4 macros. Typically the actors use socially engineered phishing campaigns to convince victims of the urgency to enable macros so they can open what they don’t know are malicious file attachments.

While Microsoft’s move to block macros entirely so far has not deterred threat actors from using them entirely, it has spurred this notable shift to other tactics, Proofpoint researchers said.

Key to this shift are tactics to bypass Microsoft’s method to block VBA macros based on a Mark of the Web (MOTW) attribute that shows whether a file comes from the internet known as the Zone.Identifier, researchers noted.

“Microsoft applications add this to some documents when they are downloaded from the web,” they wrote. “However, MOTW can be bypassed by using container file formats.”

Indeed, IT security company Outflank conveniently detailed multiple options for ethical hackers specializing in attack simulation—known as “red teamers”–to bypass MOTW mechanisms, according to Proofpoint. The post does not seem to have gone unnoticed by threat actors, as they also have begun to deploy these tactics, researchers said.

File-Format Switcheroo

To bypass macros blocking, attackers are increasingly using file formats such as ISO (.iso), RAR (.rar), ZIP (.zip), and IMG (.img) files to send macro-enabled documents, researchers said. This is because that though the files themselves will have the MOTW attribute, the document inside, such as a macro-enabled spreadsheet, will not, researchers noted.

“When the document is extracted, the user will still have to enable macros for the malicious code to automatically execute, but the file system will not identify the document as coming from the web,” they wrote in the post.

Additionally, threat actors can use container files to distribute payloads directly by adding additional content such as LNKs, DLLs, or executable (.exe) files that can be used to execute a malicious payload, researchers said.

Proofpoint also has seen a slight uptick in the abuse of XLL files—a type of dynamic link library (DLL) file for Excel—in malicious campaigns as well, although not as significant an increase as the use of ISO, RAR, and LNK files, they noted.

Suggested articles