Attackers find new ways to bypass Microsoft's macro protection
Proofpoint researchers noted that malicious macro-enabled documents attached directly to messages are becoming less and less used as a medium to deliver malware via email. Threat actors switch to e-mail attachments using Windows shortcut files (LNK) and container file formats such as ISO or RAR.
The decline in directly attached Office documents is the result of Microsoft's announcement earlier this year to block VBA macros obtained from the Internet. The new feature relies in the Mark Of The Web (MOTW) feature that shows whether a file is downloaded or originating from the internet. However, it is well known that MOTW can be bypassed by encapsulating Office files into container file formats such as ISO, RAR, ZIP and IMG.
Microsoft's move certainly makes it more difficult to distribute macro based malware, as it increases the number actions which the user has to perform in order to activate malicious code.
On the other hand, it shows the threat actors' continuous adaptation and innovation in finding new ways to attack users.
Learn more at Help Net Security.