Hackers are changing tactics for the new post-macro era


According to Proofpoint, threat actors are moving away from macro-based attacks in favor of other tactics, in one of the biggest shifts in the email threat landscape in recent history.

Microsoft announced in October 2021 that it would soon block Excel-specific XL4 macros. Several months later, he said the same thing about VBA macros, which are used in Office applications. Threat actors typically use social engineering to convince users that they need to enable macros to view specific content.

The changes began rolling out this year, and Proofpoint saw an almost immediate reaction from the cybercriminal community.

He claimed that the use of macro-enabled attachments by threat actors decreased by around 66% between October 2021 and June 2022.

However, ever resourceful hackers have found a way around Microsoft’s new rules to continue delivering malicious content to victims.

“Microsoft will block VBA macros based on a Mark of the Web (MOTW) attribute that indicates whether a file is from the Internet, known as the Zone.Identifier. Microsoft applications add this to certain documents when they are downloaded from the web, explained Proofpoint.

“However, MOTW can be bypassed using container file formats. Hackers can use container file formats such as ISO, RAR, ZIP, and IMG files to send macro-enabled documents.

Vendor explained that downloaded container files such as ISO and RAR will have MOTW attribute as they were downloaded from internet, but not the document inside like a macro supporting spreadsheet . Once the document is extracted, the user will still need to enable macros for the malicious code to run, but the file system will not identify the document as coming from the web.

“In addition, hackers can use container files to directly distribute payloads. When opened, container files may contain additional content such as LNKs, DLLs or executable files that lead to the installation of a malicious payload,” Proofpoint added.

As a result, the security vendor saw the number of malicious campaigns using container file formats increase by 176% between October 2021 and June 2022.

These attacks are primarily used for initial access, Proofpoint said.

“Proofpoint researchers rate with great confidence that this is one of the biggest changes to the email threat landscape in recent history,” he concluded. “Threat actors are likely to continue to use container file formats to deliver malware, while relying less on macro-enabled attachments.”


Comments are closed.