Hackers Opt for New Attack Methods After Microsoft Blocks Macros By Default

As Microsoft moves to block Excel 4.0 (XLM or XL4) and Visual Basic for Applications (VBA) macros by default in Office applications, malicious actors are responding by refining their new tactics, techniques, and procedures (TTPs).

“Usage of VBA and XL4 macros decreased by approximately 66% from October 2021 to June 2022,” Proofpoint said in a report shared with The Hacker News.

In its place, adversaries are increasingly moving away from macro-enabled documents to other alternatives, including container files such as ISO and RAR as well as Windows Shortcut (LNK) files in distribution campaigns. malware.


cyber security

VBA macros embedded in Office documents sent via phishing emails have proven to be an effective technique in that they allow threat actors to automatically execute malicious content after tricking a recipient into enabling macros via social engineering tactics.


However, Microsoft’s plans to block macros in files downloaded from the Internet have led to malware email campaigns experimenting with other ways to circumvent Mark of the Web (MOTW) protections and infect victims.

This involves the use of ISO, RAR and LNK attachments, which have jumped almost 175% over the same period. At least 10 threat actors are said to have started using LNK files since February 2022.

“The number of campaigns containing LNK files has increased by 1,675% since October 2021,” the enterprise security firm noted, adding that the number of attacks using HTML attachments more than doubled from October 2021. to June 2022.

cyber security

Some of the notable malware families distributed via these new methods include Emotet, IcedID, Qakbot, and Bumblebee.


“The move by threat actors away from direct distribution of macro-based attachments in email represents a significant shift in the threat landscape,” said Sherrod DeGrippo, VP of Research. and threat detection at Proofpoint, in a statement.

“Threat actors are now adopting new tactics to spread malware, and the increased use of files such as ISO, LNK and RAR is expected to continue.”

Leave a Comment