After pausing the rollout of a default macro-blocking feature in Microsoft Office, Microsoft is now officially blocking VBA macros by default in Office applications in a move to make it harder for threat actors to deploy malware and ransomware using Office applications.
Microsoft first announced the VBA macro blocking in February 2022, just a few months after announcing it would begin blocking XL4 macros by default as well.
However, threat actors are already moving onto new tactics, techniques and procedures to get around the new macro-blocking feature, according to cybersecurity software company Proofpoint.
The Sunnyvale, Calif.-based company’s research shows that hackers were listening to Microsoft’s announcements and began increasingly using container files such as ISO and RAR, as well as Windows Shortcut (LNK) files to distribute malware.
In a report based on research from October 2021 through June 2022, the use of macro-enabled attachments by threat actors decreased by about 66%. Meanwhile, cyberattacks using container file formats (.iso, .rar, .zip, .img and LNK attachments) are up, rising nearly 175% in the same timeframe.
In particular, Proofpoint notes the increased use of ISO and LNK files, which threat actors are using as initial access mechanisms. The use of ISO files has increased 150% in the same timeframe Proofpoint studied, with more than half of 15 tracked threat actors using ISO files in campaigns after Microsoft began blocking Office macros by default in February 2022. HTML attachments containing malware are also on the rise, but the number remains low, according to the company.
However, the most notable shift away from macro-based attacks are the increased usage of LNK files, with such attacks using that file format increasing 1,675% since October 2021. Now, multiple advanced persistent threat (APT) actors are using LNK files with increased frequency.
“Proofpoint researchers assess with high confidence this is one of the largest email threat landscape shifts in recent history,” the company notes in the report. “It is likely threat actors will continue to use container file formats to deliver malware, while relying less on macro-enabled attachments.”
Although the use of Microsoft Office macros in cyberattacks is trending down, there have been some outliers over the last year, including a March campaign of a threat actor delivering the Emotet malware via XL4 macros. When that specific campaign dropped off in April, it began using other file types, such as XLL and zipped LNK attachments, according to Proofpoint.
Similarly, the use of VBA macros in attacks also spiked in March, but has otherwise been on a downward trend, the company’s report says.