New Types of Malware after Microsoft Blocks Office Macros

Criminals are finding ways around a recent Microsoft Office security change.

There was a 66% decrease between October 2021 and June 2022 in the use of macros enabled malware attachments in Office documents according to new data by Proofpoint Mail filter analysis. This was due to Microsoft blocking macros by default in Office documents.

The changes were referred to as “one of the largest mail threat landscape shifts in recent history” according to the Proofpoint Threat Research team.

These days the hackers are highly organized crime syndicates so they are undeterred. Demonstrating their typical resilience, they have begun to turn to other file types as vessels for malware. This includes .ISO, .RAR attachments as well as Windows Shortcuts (.LNK) files.

While the 8 months showed a 66% decrease in macro-enabled malware, there was an 175% increase in the new weaponized container formats such as .ISO, .RAR and .LNK files.

Macros have been disabled by default in Office for a very long time, but users were allowed to easily enable them. This allowed the criminals to weaponize both VBA macros and Excel macros. Typically a socially engineered phishing campaign gets sent first to convince victims of the urgency to enable macros, then it’s only a matter of a single click to get attacked.

Then Microsoft came up with a Mark of the Web (MOTW) attribute which shows whether a file came from the Internet. However this can be faked out by using the container file formats. The container file formats (e.g. .iso) will show that the container is from the internet, but the malware macros contained inside will not have the internet flag so the criminals can still attack computers this way.

Therefore beware of files with .ISO, RAR, and .LNK and as always, if you do not know the sender don’t open anything. Even if you know the sender, still be very careful.

If you’re unsure you could always contact us at 732-549-6030 and we can help.