Microsoft Macroblocking and the Evolution of Malware Delivery
Ever since Microsoft made a policy change by blocking Office macros by default, cybercriminals have been forced to evolve and find new ways of delivering malware. For a long time, attackers used malicious Microsoft Office macros to gain access to their target’s computers. This prompted Microsoft to block macros by default on files downloaded from the Internet starting in 2022. This policy change significantly decreased macro-enabled attacks, leading cybercriminals to find new methods for delivering malware.
How Attackers Have Adjusted
Threat actors have been searching for a new delivery method for their malware. When macros were blocked, hackers started using “container files” as an alternative. However, Microsoft addressed this workaround, and hackers moved on to other options. For instance, in the latter half of 2022, HTML smuggling became popular. Attackers would slip an encoded script through an HTML attachment instead. In 2023, we saw a rise in the use of PDFs as a popular file format among attackers. Recently, malicious campaigns have been observed utilizing Microsoft‘s OneNote app to deliver their malware. Over 120 campaigns have made use of OneNote to date, but none of them have the same durability as macro-enabled attachments.
What This Means for Security Teams
The policy change has made a big difference in the cybercrime landscape. Attackers are now forced to be more creative, which presents more opportunities for them to make mistakes. Cyber defenders must move equally as fast to keep up. They must also come up with new detections and rules to prevent threat actors from bypassing existing detections. Organizations need to keep up-to-date with the latest trends and incorporate new potential threats into security training. However, from an overall, holistic security viewpoint, there’s nothing that needs to drastically change as long as users are aware of the new methods for delivering malware.
Conclusion
Microsoft‘s policy change of blocking macros by default has drastically decreased macro-enabled attacks. Though, it has forced cybercriminals to find new methods of delivering malware. Their efforts have been unique and fast-paced. Cyber defenders and organizations must keep up-to-date with the latest trends and incorporate new potential threats into security training to stay ahead of the game.
<< photo by Brett Sayles >>
You might want to read !
- “Vulnerable Plugin Used by Over 1 Million WordPress Websites Patched to Prevent Critical Exploit”
- “Google receives court approval to mandate filtering of botnet traffic by ISPs”
- The Rise of Startups Addressing Machine Learning System Security and Automation Vulnerabilities
- “Infamous Twitter Hacker Faces Trial in US After Extradition”
- Rise of Malicious Chatbots in Southeast Asia’s Casinos
- Data Privacy Concerns Prompt Companies to Improve Deletion Practices
- “Cloud Security at Risk: New Study Reveals Over 1/3 of Companies Reuse Passwords”
- The TL;DR Version of the Twitter Whistleblower Complaint
