Skip to content

Search the site

Hackers switch to ISO, RAR, LNK, as Microsoft blocks Macros

"One of the largest email threat landscape shifts in recent history"

Microsoft earlier this year announced plans to block macros in files from the internet. It started blocking them in untrusted files in February, briefly appeared to reverse this step in June and has now offered welcome clarity: The move only affects Office on devices running Windows and only affects the following applications: Access, Excel, PowerPoint, Visio, and Word. It applies to the "current channel" as of July 27, 2022.

Now Security firm Proofpoint says it has seen 175% rise in the use of ISO, RAR and Windows Shortcut (LNK) attachments instead that circumvent the block, describing the activity -- including by actors distributing Emotet malware -- as "one of the largest email threat landscape shifts in recent history"

"VBA macros are a common way for malicious actors to gain access to deploy malware and ransomware. Therefore, to help improve security in Office, we’re changing the default behavior of Office applications to block macros in files from the internet" Redmond confirmed in a detailed update on July 20. (Macros help automate processes in Office applications, but can be abused as malware vectors. Microsoft also disabled legacy Excel 4.0 XLM macros by default in Microsoft 365 tenants, after years of rampant abuse by hackers, last year.)

From C2 to C3: Hackers get esoteric with exfiltration

microsoft blocks macros, threat actors get around it

"We recommend that you work with the business units in your organization that use macros in Office files that are opened from locations such as intranet network shares or intranet websites.

"You'll want to identify those macros and determine what steps to take to keep using those macros. You'll also want to work with independent software vendors (ISVs) that provide macros in Office files from those locations. For example, to see if they can digitally sign their code and you can treat them as a trusted publisher" Microsoft said this week.

Security researchers at Proofpoint said threat actors have been swift to react to the move however, changing tactics as early as autumn 2021, with the cybersecurity firm's October 2021-June 2022 data showing attackers have "pivoted away from macro-enabled documents attached directly to messages to deliver malware, and have increasingly used container files such as ISO and RAR attachments and Windows Shortcut (LNK) files.

Microsoft blocking macros: The timeline as of July 2022.

Update channelVersionDate
Current Channel (Preview)Version 2203Started rolling out on April 12, 2022
Current ChannelVersion 2206Begin rolling out on July 27, 2022
Monthly Enterprise ChannelTo be determinedTo be determined
Semi-Annual Enterprise Channel (Preview)To be determinedTo be determined
Semi-Annual Enterprise ChannelTo be determinedTo be determined

As Proofpoint noted today, Microsoft will block VBA macros based on a "Mark of the Web" (MOTW) attribute that shows whether a file comes from the internet known as the Zone.Identifier: "Microsoft applications add this to some documents when they are downloaded from the web. However, MOTW can be bypassed by using container file formats" it noted in a research blog. Fellow security firm Outflank has also detailed multiple options for red teamers to bypass MOTW mechanisms; techniques that can, of course, be used by threat actors as well.

"Threat actors can use container file formats such as ISO (.iso), RAR (.rar), ZIP (.zip), and IMG (.img) files to send macro-enabled documents. When downloaded, the ISO, RAR, etc. files will have the MOTW attribute because they were downloaded from the internet, but the document inside, such as a macro-enabled spreadsheet, will not. When the document is extracted, the user will still have to enable macros for the malicious code to automatically execute, but the file system will not identify the document as coming from the web.

"Additionally, threat actors can use container files to distribute payloads directly. When opened, container files may contain additional content such as LNKs, DLLs, or executable (.exe) files that lead to the installation of a malicious payload" Proofpoint noted. The company recommends that enterprises continue to work towards defence-in-depth, using data visibility on "Very Attacked People" to help organizations more strategically reduce risk with controls like browser isolation or security awareness training.

Organisations can, of course, also make use of free breach simulation tools like Infection Monkey, which, as it moves through a network (after a simulated breach of the kind a phishing attack might lead to), reports back to a command and control server to give administrators insight into what kind of lateral movement is possible on their network; admins then get a graph that shows the target network from an attacker’s point of view, as well as a report with actionable insights and recommendations and should aim to architect for resilience.

Microsoft blocking macros: Full details from MSFT as published July 20, here.

See also MSFT's New security hardening policies for Trusted Documents here.

Follow The Stack on LinkedIn