Skip to content
Cyber-criminals use container files & other tactics to evade the company’s attempt to defeat a known way to deliver malicious phishing payloads.
Threat actors are avoiding Microsoft’s default blocking of macros in its Office suite, using alternative files to host malicious payloads because a primary channel for threat delivery is being blocked, researchers have found.
Macros-Enabled
The use of macros-enabled attachments by threat players diminished about 66% between Oct. 2021 & June 2022, states new data by Proofpoint revealed in a blog post Thurs.
The beginning of the decrease coincided with Microsoft’s plan to start blocking XL4 macros by default for Excel users, followed up with the blocking of VBA macros by default across the Office suite this year.
Undeterred
Threat players, showing their resilience, so far appear undeterred by this move, which is “one of the largest email threat landscape shifts in recent history,” researchers Selena Larson, Daniel Blackford & others on the Proofpoint Threat Research Team, explained in a post.
Although cyber-criminals for now continue to employ macros in malicious documents used in phishing campaigns, they also have begun to evade Microsoft’s defence strategy by turning to other file types as conduits for malware — container files such as ISO & RAR attachments, as well as Windows Shortcut (LNK) files, they outlined.
8-Month Period
In the same 8-month period when the use of macros-enabled documents decreased, the number of malicious campaigns using container files including ISO, RAR, and LNK attachments increased nearly 175%, researchers found.
“It is likely threat actors will continue to use container file formats to deliver malware, while relying less on macro-enabled attachments,” they noted.
Macros No More?
Macros, which are used for automating frequently used tasks in Office, have been among the most popular ways to deliver malware in malicious email attachments for at least most of a decade, as they can be allowed with a simple, single mouse-click the user when prompted.
Macros long have been disabled by default in Office, though users always could enable them—which has allowed threat players to weaponize both VBA macros, which can automatically run malicious content when macros are enabled in Office apps, & also Excel-specific XL4 macros.
Typically the players use socially engineered phishing campaigns to convince victims of the urgency to enable macros so they can open what they don’t realise are malicious file attachments.
Other Tactics
While Microsoft’s move to block macros entirely so far has not deterred threat players from using them fully, it has prompted this shift to other tactics, Proofpoint researchers cautioned.
Central to this shift are tactics to bypass Microsoft’s method to block VBA macros based on a ‘Mark of the Web’ (MOTW) attribute that shows whether a file comes from the internet known as the Zone.Identifier, researchers noted.
“Microsoft applications add this to some documents when they are downloaded from the web,” they wrote. “However, MOTW can be bypassed by using container file formats.”
IT security company Outflank conveniently detailed multiple options for ethical hackers specialising in attack simulation—known as “red teamers”–to bypass MOTW mechanisms, according to Proofpoint.
The post does not seem to have been unnoticed by threat players, as they also have begun to use these tactics, researchers observed.
File-Format Switch
To bypass macros blocking, attackers are increasingly using file formats such as ISO (.iso), RAR (.rar), ZIP (.zip), & IMG (.img) files to send macro-enabled documents, researchers suggested.
This is because that though the files themselves will have the MOTW attribute, the document inside, such as a macro-enabled spreadsheet, will not, researchers noted.
“When the document is extracted, the user will still have to enable macros for the malicious code to automatically execute, but the file system will not identify the document as coming from the web,” they wrote in the post.
Container Files
Also, threat players can use container files to distribute payloads directly by adding additional content such as LNKs, DLLs, or executable (.exe) files that can be used to execute a malicious payload, researchers said.
Proofpoint also has seen a slight increase in the abuse of XLL files—a type of dynamic link library (DLL) file for Excel—in malicious campaigns too, although not as significant an increase as the use of ISO, RAR, & LNK files, they concluded.
