Attackers Evolve Strategy After Microsoft Office Macro Blocking

Threat actors are adjusting their tactics and moving away from macro-based attacks after Microsoft's policy of blocking VBA macros in Office, according to a report released this week.

Security firm Proofpoint found that attackers are increasingly focusing on the use of malicious container files (such as RAR or ISO) as their gateway into a system. Just as harmful macros were used, these compromised files typically are sent to a potential victim through e-mail.

Proofpoint said that it has seen a dramatic shift in the increase in container file-based attacks, while at the same time has observed a 66 percent decrease in VBA macro-based attacks between October 2021 and June 2022 and an increase in harmful container files by 150 percent over the same period.

The firm said that both VBA macro attacks and the growing container file attacks share the same DNA. Per Proofpoint:

Threat actors can use container file formats such as ISO (.iso), RAR (.rar), ZIP (.zip), and IMG (.img) files to send macro-enabled documents. When downloaded, the ISO, RAR, etc. files will have the MOTW attribute because they were downloaded from the internet, but the document inside, such as a macro-enabled spreadsheet, will not. When the document is extracted, the user will still have to enable macros for the malicious code to automatically execute, but the file system will not identify the document as coming from the web.

Once inside, attackers can gain access to a targeted system or even deliver malicious payloads directly through the initial container file. While the harmful container files do contain the Mark of the Web (MOTW) attribute -- which signifies that the file came from the Internet -- they are nestled in the container file. This avoids the same detection (by default) that Microsoft recently enabled in VBA macros.

Proofpoint hypothesizes that we will see an increase of container file attacks specifically using XLL files (a type of dynamic link library file for Excel), especially in campaigns were the goal is to deliver a malicious payload immediately. However, for the time being, ISO, RAR and LNK (Windows shortcut files) are still the most popular avenues. No matter the container file type, expect the migration from VBA macro attacks to accelerate in the near future.

"Proofpoint researchers assess with high confidence this is one of the largest email threat landscape shifts in recent history," concluded the report. "It is likely threat actors will continue to use container file formats to deliver malware, while relying less on macro-enabled attachments."

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.


comments powered by Disqus

Subscribe on YouTube