Attackers try to bypass Microsoft’s default blocking of macros in Office suite

Attackers are exploring tactics to bypass Microsoft’s defense strategy, one of which involves turning to file types as vessels for malware.

So far, attackers have relied on macros-enabled attachments, but the number of attackers using this tactic dropped after Microsoft began blocking XL4 macros by default for Excel users. Microsoft also blocked VBA macros by default across the Office suite.

To get around macros blocking, attackers are increasingly using file formats such as ISO (.iso), RAR (.rar), ZIP (.zip), and IMG (.img) files to send macro-enabled documents.

According to Proofpoint researchers since blocking macros by default, malicious campaigns using container files such as ISO, RAR and LNK attachments have now increased by 175 per cent.

The new tactic attempts to bypass Microsoft’s method of blocking VBA macros based on a Mark of the Web (MOTW) attribute, which shows whether a file comes from the internet known as the Zone.Identifier.

“Microsoft applications add this to some documents when they are downloaded from the web. However, MOTW can be bypassed by using container file formats,” the Proofpoint researchers wrote.

Attackers can use the file formats listed above to send macro-enabled documents because the documents within those files, such as a macro-enabled spreadsheet, do not have a MOTW attribute even if the files have it.

The sources for this piece include an article in ThreatPost.

IT World Canada Staff
IT World Canada Staff
The online resource for Canadian Information Technology professionals.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web