Cyber criminals pivot away from macros as Microsoft changes bite

The use of malicious macros by cyber criminal groups has dropped a remarkable 66% since last October, and may now be one of the largest email threat landscape shifts in industry history, according to research data published28 July by Proofpoint.

The shift is almost entirely down to Microsoft having decided to block Visual Basic for Applications (VBA) and Excel-specific XL4 macros across the Office suite in a series of policy changes dating back to last autumn.

Macros had typically been used by cyber criminals to trick users into running malicious content after downloading a tainted document from a phishing email.

By removing the ability to run macros by default, and forcing users to click through and to read additional information about macros before allowing them to run, Microsoft has effectively thrown up extra barriers to being hoodwinked.

According to Proofpoint’s vice-president of threat research and detection Sherrod DeGrippo, this has been super effective. The firm observed just under 70 campaigns incorporating VBA macros in October 2021, but by June 2022 this had dwindled to just more than 21.

“Threat actors pivoting away from directly distributing macro-based attachments in email represents a significant shift in the threat landscape,” said DeGrippo.

“Threat actors are now adopting new tactics to deliver malware, and the increased use of files such as ISO, LNK, and RAR is expected to continue,” she added.

DeGrippo explained that threat actors are clearly abandoning macro-enabled documents in droves and are increasingly turning to other vectors to compromise unwitting users. Proofpoint had already hypothesized that something like this would happen.

For example, container files, such as ISO and RAR attachments, are now increasingly in vogue. Volumes of these are collectively up nearly 200% over the same period, from about 70 observed campaigns last October, to close to 200 in June 2022.

This is because by using such files, attackers can bypass the Mark of the Web (MOTW) attribute that Microsoft uses to block VBA macros.

Although ISO and RAR files do have the MOTW attribute (because they were still downloaded from the internet), the document contained within will not, and when it is extracted, although the user will still have to enable macros for the malicious code to execute, their system will not spot the difference, leading to compromise.

Cyber criminals can also use container files to distribute their payloads directly in the form of Windows Shortcut (LNK) files, Dynamic Link Libraries (DLLs) and other executables. Proofpoint observed less than 10 LNK campaigns last October, but by June this had increased to just over 70.

There has also been a small, but statistically significant increase in HTML files being used for these purposes.

Ultimately, said Proofpoint, the end goal is the same – compromise leading to the execution of malicious payloads on the target system, as well as reconnaissance, data theft, malware and ransomware.

Negative feedback

Though welcome, the changes have not, however, gone entirely smoothly. At the beginning of July 2022, Microsoft quietly rolled back the default blocking policy, citing negative user feedback.

This reversal was designed to be temporary while Microsoft made some tweaks to the policy, and default blocking has since resumed.

Microsoft has kept its counsel on the precise nature of the negative feedback it received, but in a note detailing the policy resumption, product manager Kelly Eickmeyer said: “We’ve made updates to both our end user and our IT admin documentation to make clearer what options you have for different scenarios. For example, what to do if you have files on SharePoint or files on a network share.”

DeGrippo and a number of her colleagues had previously expressed their disappointment at the suspension of the policy, amid widespread dismay in the security community as a whole.

However, there does not appear to be any evidence that the reversal and its subsequent undoing have had any impact on the trend away from macros. DeGrippo explained why this should be: “Threat actors began investigating and implementing ways to bypass macro blocking when the announcements occurred, so they were already ahead of any actual implementation.

“The confusion around when Microsoft would continue to block by default was a relatively short period of time, and did not have a notable impact on the threat landscape. We will continue to see increased adoption of the tactics described in the blog as macro blocking begins rolling out broadly,” she said.

Leave a Reply

Your email address will not be published. Required fields are marked *