Technology giant Microsoft has taken many measures to make their operating system and their MS Office Software Suite safer. As a result of this, attackers are likely to shift to macro-based attacks – a fact which makes it a key threat in Seqrite’s list of 2020 Cyberthreats Predictions.
As Sanjay Katkar, Chief Technology Officer & Joint Managing Director of Quick Heal Technologies, points out, “Microsoft has taken many steps to block MS Office exploits, making it harder to execute exploit codes on newer Windows variants. This is expected to drive a shift towards macro-based attacks among threat actors. Macro-based attacks can be executed across all versions of MS Office”.
Macros – commonly used but exploitable
In its elements, macros are not dangerous and most users use them in day-to-day work. They are small programs used in Microsoft Office to automate easily repetitive tasks. Most macros for Microsoft Office are written in Virtual Basic for Applications (VBA), a programming language which can potentially be compromised by a threat actor.
A report in 2018 found that macros in Microsoft Office documents accounted for the delivery of nearly half of all malicious macros. In a case in 2015, the Dridex banking Trojan, which spreads by sending spam/phishing emails with infected Macros embedded in Word attachments, was used in a cybercrime campaign which enabled their perpetrators to earn a profit of more than $40 million from US and UK victims.
The danger of opening unknown attachments
The modus operandi is simple – Word attachments infected with macros are sent to potential victims by email. These emails may be disguised to look authentic and generally rely on the victim opening the e-mail, downloading the attachment and then opening the Word, thus activating the macros. The attackers are helped by the possibility that anti-malware solutions may not always detect dangerous macros – as in most cases, the macros do not contain the actual malware — it is running the macro that leads to the downloading of dangerous malware.
It is their inherent simplicity that makes macros so dangerous. Even with enterprises being aware of the threat, their response needs to be measured. Blocking macros across an entire organization is not possible as macros are also used for work-related purposes and an absolute ban would lead to a drop in productivity. In the same way, blocking documents across an enterprise network is also not feasible.
To combat Office macro-based attacks, enterprises must implement the following measures:
A tailored approach towards external mail
Incoming mail from external sources outside the network must be treated with suspicion. Only known senders should be whitelisted with their Word attachments allowed inside the network; for unknown senders, their emails and attachments must come with clear warnings.
Employees must be educated and made aware of the dangers of running Office documents with macros in them. They must be told to treat such documents with suspicion and only enable macros within such documents if they are completely sure of the contents.
Update Microsoft Office & anti-malware solution regularly
Microsoft regularly provides updates and patches for its Office Suite, patching and fixing detected vulnerabilities and backdoors. Since most organizations rely on the Office suite for their productivity needs, these systems must be updated regularly. It is also important for organizations to update their anti-malware solutions regularly to ensure that they stay safe.