Blocking Macros Is Only the First Step in Defeating Malware

  • Microsoft’s decision to block macros will rob threat actors of this popular means for distributing malware.
  • However, researchers note that cybercriminals have already changed tacks and significantly reduced using macros in recent malware campaigns.
  • Blocking macros is a step in the right direction, but at the end of the day, people need to be more vigilant to avoid getting infected, suggest experts.

Ed Hardie / Unsplash.

While Microsoft took its own sweet time deciding to block macros by default in Microsoft Office, threat actors were quick to work around this limitation and devise new attack vectors.

According to new research by security vendor Proofpoint, macros are no longer the favorite means of distributing malware. The use of common macros decreased by approximately 66% between October 2021 to June 2022. On the other hand, the use of ISO files (a disc image) registered an increase of over 150%, while the use of LNK (Windows File Shortcut) files increased a staggering 1,675% in the same timeframe. These file types can bypass Microsoft’s macro blocking protections.

“Threat actors pivoting away from directly distributing macro-based attachments in email represents a significant shift in the threat landscape,” Sherrod DeGrippo, Vice President, Threat Research and Detection at Proofpoint, said in a press release. “Threat actors are now adopting new tactics to deliver malware, and the increased use of files such as ISO, LNK, and RAR is expected to continue.”

Moving With the Times

In an email exchange with Lifewire, Harman Singh, Director at cybersecurity service provider Cyphere, described macros as small programs that can be used to automate tasks in Microsoft Office, with XL4 and VBA macros being the most commonly used macros by Office users. 

From a cybercrime perspective, Singh said threat actors can use macros for some pretty nasty attack campaigns. For instance, macros can execute malicious lines of code on a victim’s computer with the same privileges as the logged-in person. Threat actors can abuse this access to exfiltrate data from a compromised computer or to even grab additional malicious content from the malware’s servers to pull in even more…