Security News > 2022 > July > Threat Actors Pivot Around Microsoft’s Macro-Blocking in Office

Threat actors are finding their way around Microsoft's default blocking of macros in its Office suite, using alternative files to host malicious payloads now that a primary channel for threat delivery is being cut off, researchers have found.

The beginning of the decrease coincided with Microsoft's plan to start blocking XL4 macros by default for Excel users, followed up with the blocking of VBA macros by default across the Office suite this year.

Though cybercriminals for now continue to employ macros in malicious documents used in phishing campaigns, they also have begun to pivot around Microsoft's defense strategy by turning to other file types as vessels for malware-namely, container files such as ISO and RAR attachments as well as Windows Shortcut files, they said.

"It is likely threat actors will continue to use container file formats to deliver malware, while relying less on macro-enabled attachments," they noted.

Macros long have been disabled by default in Office, though users always could enable them-which has allowed threat actors to weaponize both VBA macros, which can automatically run malicious content when macros are enabled in Office apps, as well as Excel-specific XL4 macros.

Threat actors can use container files to distribute payloads directly by adding additional content such as LNKs, DLLs, or executable files that can be used to execute a malicious payload, researchers said.

News URL

https://threatpost.com/threat-pivot-microsofts-macro/180319/