Malicious Microsoft Office attachments are more common than malicious batch scripts and PowerShell scripts, according to Cofense. Here’s how to protect your business.
Microsoft Office documents packed with malicious macros are the most common malware loader of the past month, accounting for 45% of all delivery mechanisms analyzed, according to a Thursday report from Cofense.
Office Macros were followed in popularity by CVE-2017-11882, malicious batch scripts, malicious PowerShell scripts, and WSC downloaders, the report found.
This demonstrates that threat actors tend to leverage tried-and-tested delivery mechanisms, the report noted. Macros may have a low barrier to entry, but they are not used only by immature or low-impact cybercriminals: Malware delivered via macros is among the worst in today’s threat landscape, including Geodo, Chanitor, AZORult, and GandCrab, according to the report.
Macros remain a popular email attachment method of delivering a malicious payload because they are typically enabled on a machine, or easily allowed with a single mouse click, the report noted—making it very easy to launch the first stage of an attack. When used this way, macros are embedded Visual Basic scripts that are often used to download or directly execute further payloads.
The Microsoft Office Macro feature could be enabled by default in your organization’s IT environment, according to the report. When this is the case, a user may not receive any warning that something is wrong upon opening a malicious document. Even when an organization has some kind of protection in place—such as a security warning at the top of the document—it can often be dismissed with just one click, or may be ignored by the user.
IT departments can protect their organization from macros by disabling them enterprise-wide, the report said. However, many businesses rely on macros for their legitimate usage, in which case IT may want to consider enacting a blanket policy of blocking documents at the gateway, or, perhaps more realistically, combining different policies such as blocking or grey-listing documents coming from unknown senders. Security education is also key, the report said.