Hackers Opting New Assault Strategies After Microsoft Blocked Macros by Default

With Microsoft taking steps to dam Excel 4.0 (XLM or XL4) and Visible Fundamental for Functions (VBA) macros by default throughout Workplace apps, malicious actors are responding by refining their new ways, methods, and procedures (TTPs).

“Using VBA and XL4 Macros decreased roughly 66% from October 2021 via June 2022,” Proofpoint stated in a report shared with The Hacker Information.

Instead, adversaries are more and more pivoting away from macro-enabled paperwork to different options, together with container information equivalent to ISO and RAR in addition to Home windows Shortcut (LNK) information in campaigns to distribute malware.

“Menace actors pivoting away from straight distributing macro-based attachments in electronic mail represents a major shift within the risk panorama,” Sherrod DeGrippo, vice chairman of risk analysis and detection at Proofpoint, stated in an announcement.


“Menace actors are actually adopting new ways to ship malware, and the elevated use of information equivalent to ISO, LNK, and RAR is predicted to proceed.”

VBA macros embedded in Workplace paperwork despatched through phishing emails have confirmed to be an efficient approach in that it permits risk actors to mechanically run malicious content material after tricking a recipient into enabling macros through social engineering ways.

Nonetheless, Microsoft’s plans to block macros in information downloaded from the web have led to email-based malware campaigns experimenting with different methods to bypass Mark of the Internet (MOTW) protections and infect victims.

This entails the usage of ISO, RAR and LNK file attachments, which have surged almost 175% throughout the identical interval. Not less than 10 risk actors are stated to have begun utilizing LNK information since February 2022.

“The variety of campaigns containing LNK information elevated 1,675% since October 2021,” the enterprise safety firm famous, including the variety of assaults utilizing HTML attachments greater than doubled from October 2021 to June 2022.


Among the notable malware households distributed via these new strategies include Emotet, IcedID, Qakbot, and Bumblebee.

“Typically talking, these different file varieties are straight connected to an electronic mail in the identical method we might beforehand observe a macro-laden doc,” DeGrippo advised The Hacker Information in an emailed response.

“There are additionally circumstances the place the assault chains are extra convoluted, for instance, with some current Qbot campaigns the place a .ZIP containing an ISO is embedded inside an HTML file straight connected to a message.”

“As for getting meant victims to open and click on, the strategies are the identical: a wide selection of social engineering ways to get individuals to open and click on. The preventive measures we use for phishing nonetheless apply right here.”

Leave a Comment