Microsoft’s crackdown on untrusted Office macros comes with both good and bad news. The good news is that the use of Office macros in email attachments or links has been reduced. The bad news is that attackers are changing tactics and are ramping up the use of Windows .LNK shortcuts.
Since Microsoft banned Office macros, attackers have been using container files such as ISO files, RAR attachments, and Windows Shortcut (LNK) files, according to security company Proofpoint.
The turning point in the use of macros came in February, when Microsoft announced that, beginning in April, it would implement standard blocking of Visual Basics for Applications (VBA) macros coming from the Internet. This rollout plan has been delayed until this week.
“The most notable change is the introduction of LNK files; at least 10 tracked attackers have started using LNK files since February 2022. The number of campaigns containing LNK files has increased by 1675% since October 2021,” notes Proofpoint.
According to Proofpoint, the number of email attachments containing malicious macros decreased by approximately 66% between October 2021 and June 2022.
The adoption of .LNK files by attackers took place before February, since Microsoft’s macro blocking measures began several years ago.
The malicious use of Office macros—scripts in Word or Excel files that automate repetitive tasks—is a convenient technique for attackers. Indeed, the flaw cannot be fixed, and the tactic is to encourage employees to activate a feature that most do not need.
Microsoft’s latest measure, implemented this week, is to force Office applications to block VBA macros in any attachments or links in received emails by default. This saves administrators the hassle of configuring domains to block untrusted VBA macros and makes it harder for users to enable macros through the back door.
Since 2016, Microsoft has gradually introduced more and more restrictions on running macros. At the time, the company claimed that 98% of threats targeting Office used macros. In January, Microsoft also disabled Excel 4.0 (XLM) macros by default. XLM was added to Excel in 1992 but is still in use today, although VBA supplanted it in 1993.
Hey LNK, watch out!
In 2018, Microsoft made it possible for antivirus vendors to integrate with Office to scan files for malicious VBA macros. She added XLM macros to this antivirus interface in March because attackers started using XLM.
“While XLM is more primitive than VBA, it is powerful enough to allow interaction with the operating system, and many organizations and users continue to use its functionality for legitimate purposes.” Cybercriminals know this and are increasingly misusing XLM macros to call Win32 APIs and execute shell commands.
XLM, also known as XL4, has been adopted by the cybercriminals behind the Emotet malware. Again, the use of XLM correlates with Microsoft’s decision to block these macros and allow antivirus vendors to scan Office files for these scripts.
“The peak use of the XL4 macro was in March 2022. This is likely because TA542, the Emotet malware actor, ran more high-volume campaigns than in previous months. Typically, TA542 uses Microsoft Excel or Word documents containing VBA or XL4 macros. Emotet activity then declined in April, and in subsequent campaigns, the company began using other delivery methods, including Excel add-in files (XLL) and compressed LNK attachments,” notes Proofpoint.