Microsoft has blocked hackers’ favorite trick. So now they’re looking for a new avenue of attack
There’s good news and bad news about Microsoft’s recent crackdown on unreliable Office macros. The benefit is that it has reduced the use of Office macros in email attachments or links. The problem is, attackers have just changed tack, increasing their use of Windows .LNK shortcut links.
According to security firm Proofpoint, since Microsoft cracked down on Office macros, attackers have switched to using container files such as ISO and RAR attachments and Windows Shortcut (LNK) files.
A key turning point in macro usage came in February, when Microsoft announced that it would be rolling out a default block to Visual Basics for Applications (VBA) macros sourced from the Internet starting in April. This deployment plan has been postponed to this week.
“The most notable change in campaign data is the emergence of LNK files; at least 10 tracked threat actors have started using LNK files since February 2022. The number of campaigns containing LNK files has increased by 1675% since October 2021,” Proofpoint notes.
SEE; What exactly is cybersecurity? And why is it important?
Attachments to emails containing malicious macros decreased by around 66% between October 2021 and June 2022, according to Proofpoint.
Adoption of .LNK files by threat actors happened before February, as Microsoft’s macro crackdowns began years ago.
Abusing Office Macros – a script in Word or Excel files that automates repetitive tasks like monthly accounting – is a useful technique for attackers because it is not a patchable flaw and instead relies on Engage employees in activating a capability that most people don’t need.
Microsoft’s latest crackdown, which rolled out this week, was to make Office apps block VBA macros by default in any attachments or links in emails received from the Internet. This eliminates the need for administrators to configure domains to block untrusted VBA macros and makes it harder for users to enable macros after a trick.
Since 2016, Microsoft has gradually imposed more restrictions on running macros. At the time, 98% of threats targeted by Office used macros. In January, it also disabled Excel 4.0 (XLM) macros by default. XLM was added to Excel in 1992 but is still used even though VBA replaced it in 1993.
In 2018, Microsoft gave antivirus vendors a way to integrate with Office to inspect files for malicious VBA macros. It added XML macros to this antivirus interface in March, as attackers had started using XLM in response to its previous crackdown on VBA macros.
“Although more rudimentary than VBA, XLM is powerful enough to provide interoperability with the operating system, and many organizations and users continue to use its features for legitimate purposes. Cybercriminals know this, and they have abused XLM macros, more and more frequently, to call Win32 APIs and execute shell commands,” Microsoft said at the time.
XLM, also known as XL4, has been adopted by professional malware gangs behind the versatile Emotet malware. Again, the use of XLM correlated with when Microsoft decided to block these macros and let antivirus vendors inspect Office files for these scripts.
“Usage of the XL4 macro increased in March 2022. This is likely due to the fact that TA542, the actor delivering the Emotet malware, ran more campaigns with higher message volumes than in previous months. TA542 typically uses Microsoft Excel or Word documents that contain VBA or XL4 macros Emotet’s business then plummeted in April and it began using additional delivery methods including Excel Add In (XLL) files and compressed LNK attachments in subsequent campaigns,” Proofpoint notes.