Macro-based malware in Microsoft Office products has been around since the ‘90s. However, since users have learned to combat it, it fell off the radar with hackers. N-Able, a technology partner for managed service providers, reported it’s starting to see a resurgence of these attacks over the past few years — and they’re not the only ones.
Cybercriminals are using social engineering to convince users to turn on macros to allow their malware to run (i.e. Locky). Typically, macro malware is transmitted through phishing emails containing malicious attachments.
Microsoft first noted the resurgence of macro-based malware in Mach of 2020, releasing a new runtime defense against it.
Many organizations that have legacy files that use macros may be susceptible to this kind of attack, explained Tal Leibovich, head of threat research at Deep Instinct, at a presentation during DEFCON 29.
Macro-Based Malware Prevention Tips
IT should create a good detection engine that can spot the actual threats without generating false positives and noise, according to Leibovich.
Digital forensics expert, Aaron Card, recommends blocking all inbound macro-enabled and macro-embedded files from email or file transfer pathways.
“Any O365 organization can also set a group policy to ‘disable all macros,’ with or without notification to the user in case a file somehow slipped through the defenses, or someone was allowed to run a file from an external drive or media,” he told TechRepublic.
He also noted when selecting antivirus software, make sure the antivirus software can be configured to block the macros.
If your organization must use macros, Card recommends, “running all functionality and users in virtual desktop environments to greatly limit any spread or damage from macro malware that persists.”
IT managers must ensure staff members are properly trained when it comes to spotting phishing emails and social engineering tactics employed by cybercriminals. With the pandemic, many cybersecurity trainings may have fallen by the wayside.