Ransomware gangs move away from exploiting Microsoft Office macros  

Remote code execution (RCE) attacks are one of the most significant threats facing enterprises. Just clicking on a link to an Office attachment in a phishing email could trigger a breach that puts an enterprise’s private data at risk. 

However, when Microsoft announced it would disable Office macros by default back in October of last year, the security community was overjoyed at the prospect of reducing the effectiveness of RCE attempts using Office files. 

New research released by MDR security provider Expel today indicates that disabling macros has substantially changed the threat landscape. 

Expel’s Quarterly Threat Report found that a macro-enabled Microsoft Word document (VBA macro) or Excel 4.0 macro was the initial attack vector in 55% of pre-ransomware incidents in Q1 of this year, but in Q2 that figure fell to 9%, a decrease of 46% after Microsoft’s decision to block macros by default. 

Instead of using Office macros to gain entry to environments, threat actors are now using disk image (ISO), shortcut (LNK), and HTML application (HTA) files to gain initial entry to enterprise networks and deploy malicious content. 

This means that going forward, enterprises will need to make sure that users keep an eye out for these types of attachments in their inbox. 

Disabling Office macros has changed the game 

According to Jonathan Hencinski, VP of security operations at Expel, “Microsoft’s announcement that it would block macros by default in Microsoft Office applications appears to have changed the game for attackers.” 

While Hencinski notes that threat actors using ISO, LNK and HTA files are old techniques, he highlights that they are effective, and recommends enterprises configure JavaScript (.js .jse), Windows Script Files (.wsf, .wsh) and HTML for application (.hta) files to open with Notepad to eliminate common entry points for cybercriminals. 

He also recommends unregistering ISO file extensions in Windows Explorer so that Windows won’t recognise ISO files, as well as prevent users from accidentally executing malicious software if they double-click on a malicious file. 

When considering that phishing attempts are one of the most common ways that employees are tricked into downloading malicious files, it’s also a good idea to deploy a secure email gateway (SEG) to monitor incoming and outgoing emails for signs of attack. 

SEGs as a solution to phishing 

Phishing emails are one of the main tools that cybercriminals use to manipulate employees into downloading malicious software. In fact, research shows that phishing attacks grew 29% last year with 873.9 million attacks observed last year. 

SEGs have the potential to filter out these malicious emails by providing organizations with a solution deployed at the mail server or SMTP gateway to scan and filter out spam emails and malicious content so that employees aren’t exposed to anything that could put the network at risk of a data breach. 

It’s important to note that SEGs and email security solutions can’t eliminate all phishing attempts completely, so employees will always be your best weapon against them, but nonetheless they are a valuable tool for reducing the level of email-based threats. 

One of the main SEG providers in the market is Proofpoint, which offers an email security solution to authenticate users, blocking malware and fraudulent emails through the use of a machine learning technology called NexuSAI. 

Another key provider in the email security market is Check Point Software Technologies, which acquired email security provider Avanan last year for $300 million, and uses True AI to identify phishing attempts and stop emails before they reach the inbox rather than removing them retrospectively. 

For enterprises, these tools offer a chance to reduce the exposure to human error, even if they don’t mitigate them entirely. This means they’re best combined with security-awareness training to reduce the chance of human error by an employee clicking on a malicious attachment.