free counter

Cyber criminals pivot from macros as Microsoft changes bite

geargodz –

As Microsoft resumes blocking macros automagically in its Office application suite, reversing a temporary reversal, analysis from Proofpoint suggests the action has already established an extraordinary effect

Alex Scroxton


Published: 28 Jul 2022 11: 00

The usage of malicious macros by cyber criminal groups has dropped an extraordinary 66% since last October, and could now be among the largest email threat landscape shifts in industry history, in accordance with research data published28 July by Proofpoint.

The shift is nearly entirely right down to Microsoft having decided to block Visual Basic for Applications (VBA) and Excel-specific XL4 macros over the Office suite in some policy changes dating back to to last autumn.

Macros had typically been utilized by cyber criminals to trick users into running malicious content after downloading a tainted document from the phishing email.

By detatching the opportunity to run macros automagically, and forcing users to click on through also to read more information about macros before permitting them to run, Microsoft has effectively thrown up extra barriers to being hoodwinked.

In accordance with Proofpoints vice-president of threat research and detection Sherrod DeGrippo, it has been super effective. The firm observed slightly below 70 campaigns incorporating VBA macros in October 2021, but by June 2022 this had dwindled to just a lot more than 21.

Threat actors pivoting from directly distributing macro-based attachments in email represents a substantial shift in the threat landscape, said DeGrippo.

Threat actors are actually adopting new tactics to provide malware, and the increased usage of files such as for example ISO, LNK, and RAR is likely to continue, she added.

DeGrippo explained that threat actors are clearly abandoning macro-enabled documents in droves and so are increasingly embracing other vectors to compromise unwitting users. Proofpoint had already hypothesized that something similar to this might happen.

For instance, container files, such as for example ISO and RAR attachments, are actually increasingly in fashion. Volumes of the are collectively up nearly 200% on the same period, from about 70 observed campaigns last October, to near 200 in June 2022.

It is because through the use of such files, attackers can bypass the Mark of the net (MOTW) attribute that Microsoft uses to block VBA macros.

Although ISO and RAR files do have the MOTW attribute (since they were still downloaded from the web), the document contained within won’t, and when it really is extracted, even though user will still need to enable macros for the malicious code to execute, their system won’t spot the difference, resulting in compromise.

Cyber criminals may also use container files to distribute their payloads directly by means of Windows Shortcut (LNK) files, Dynamic Link Libraries (DLLs) along with other executables. Proofpoint observed significantly less than 10 LNK campaigns last October, but by June this had risen to just over 70.

There’s also been a little, but statistically significant upsurge in HTML files used for these purposes.

Ultimately, said Proofpoint, the finish goal may be the same compromise resulting in the execution of malicious payloads on the mark system, in addition to reconnaissance, data theft, malware and ransomware.

Negative feedback

Though welcome, the changes haven’t, however, gone entirely smoothly. At the start of July 2022, Microsoft quietly rolled back the default blocking policy, citing negative user feedback.

This reversal was made to be temporary while Microsoft made some tweaks to the policy, and default blocking has since resumed.

Microsoft has kept its counsel on the complete nature of the negative feedback it received, but in an email detailing the policy resumption, product manager Kelly Eickmeyer said: Weve made updates to both our person and our IT admin documentation to create clearer what options you have for different scenarios. For instance, how to proceed in case you have files on SharePoint or files on a network share.

DeGrippo and several her colleagues had previously expressed their disappointment at the suspension of the policy, amid widespread dismay in the security community all together.

However, there will not seem to be any evidence that the reversal and its own subsequent undoing experienced any effect on the trend from macros. DeGrippo explained why this will be: Threat actors began investigating and implementing methods to bypass macro blocking once the announcements occurred, so that they were already before any actual implementation.

The confusion around when Microsoft would continue steadily to block automagically was a comparatively short time of time, and didn’t have a notable effect on the threat landscape. We shall continue steadily to see increased adoption of the tactics described in your blog as macro blocking begins rolling out broadly, she said.

Read more on Web application security

Read More

Related Articles

Leave a Reply

Your email address will not be published.

Back to top button

Adblock Detected

Please consider supporting us by disabling your ad blocker