Although it took Microsoft a long time to block macros by default in Microsoft Office, attackers quickly circumvented this restriction and devised new attack methods.
Protection against malicious macros – Block at first sight by Windows Defender (DEMO)
Macros are no longer the preferred means of spreading malware, according to new research from security vendor Proofpoint. The use of common macros dropped by approximately 66% between October 2021 and June 2022. On the other hand, the use of ISO (disk image) files registered an increase of more than 150%, while the use of LNK (Windows File Shortcut) files increased by a whopping 1,675% in the same period. These file types can bypass Microsoft’s macro-blocking protections.
“Threat actors moving away from directly distributing macro-based attachments in email represents a significant shift in the threat landscape,” said Sherrod DeGrippo, Vice President, Threat Research and Detection at Proofpoint, in a press release. “Threat actors are now employing new tactics to distribute malware, and the increased use of files such as ISO, LNK and RAR is expected to continue.”
In an email exchange with Lifewire, Harman Singh, director at cybersecurity services provider Cyphere, described macros as small programs that can be used to automate tasks in Microsoft Office, with XL4 and VBA macros being the most commonly used macros by Office users.