Microsoft’s recent crackdown on untrusted Office macros is both good and bad. The good thing is that it has stopped people from attaching or linking to Office macros in emails. The bad news is that attackers just changed their plans and are now using more and more. LNK Windows links to short-cuts. Proofpoint, a security company, says that since Microsoft started blocking Office macros, attackers have started using container files like ISO and RAR attachments and Windows Shortcut (LNK) files instead.
In February, Microsoft said that it would start blocking internet-sourced Visual Basics for Applications (VBA) macros in April. This was a big change in how people used macros. That plan to roll out was put off until this week. “The biggest change in campaign data is the use of LNK files, which have been used by at least 10 threat actors tracked since February 2022. Since October, there have been 1,675 percent more campaigns with LNK files “r 2021,” says Proofpoint.
According to Proofpoint, the number of malicious macros in email attachments dropped by about 66% between October 2021 and June 2022. Even before February, threat actors were using.LNK files because Microsoft has been cracking down on macros for years.
Abusing Office macros, which are scripts in Word or Excel files that automate repetitive tasks like monthly accounting, is a useful technique for attackers because it’s not a bug that can be fixed and instead relies on tricking employees into turning on a feature that most people don’t need.
As part of Microsoft’s latest crackdown, which started this week, all VBA macros in email attachments or links from the internet will be blocked by Office apps by default. This means that admins don’t have to set up domains to block untrusted VBA macros, and it’s harder for users to sneakily turn on macros.
Since 2016, Microsoft has been making it harder and harder to run macros. Back then, it was said that 98 percent of threats to Office use macros. It also turned off Excel 4.0 macros (XLM) by default in January. Excel added XLM in 1992, but people still use it even though VBA took its place in 1993.
In 2018, Microsoft made it possible for antivirus software to work with Office to check files for harmful VBA macros. In March, it added XML macros to that antivirus interface because attackers had started using XLM after it cracked down on VBA macros.
“Even though XLM is less advanced than VBA, it is still powerful enough to work with the operating system, and many organisations and users continue to use its features for good reasons. Cybercriminals know this and have been using XLM macros to call Win32 APIs and run shell commands more and more often “At the time, Microsoft said.
XLM, which is also called XL4, was taken up by the professional malware gangs that made the versatile Emotet malware. Again, the use of XLM was related to when Microsoft blocked these macros and let antivirus companies check Office files for these scripts.
“In March 2022, a lot of XL4 macros were used. This is probably because TA542, the group that spreads the Emotet malware, ran more campaigns with more messages than in previous months. Most of the time, TA542 uses VBA or XL4 macros in Microsoft Excel or Word documents. After that, Emotet’s activity dropped in April, and in subsequent campaigns, it started using other ways to deliver files, such as Excel Add In (XLL) files and zipped LNK attachments “Notes from Proofpoint.