- Aug 1, 2022

Attackers find new ways to bypass Microsoft's macro protection

Proofpoint researchers noted that malicious macro-enabled documents attached directly to messages are becoming less and less used as a medium to deliver malware via email. Threat actors switch to e-mail attachments using Windows shortcut files (LNK) and container file formats such as ISO or RAR.

The decline in directly attached Office documents is the result of Microsoft's announcement earlier this year to block VBA macros obtained from the Internet. The new feature relies in the Mark Of The Web (MOTW) feature that shows whether a file is downloaded or originating from the internet. However, it is well known that MOTW can be bypassed by encapsulating Office files into container file formats such as ISO, RAR, ZIP and IMG.

Microsoft's move certainly makes it more difficult to distribute macro based malware, as it increases the number actions which the user has to perform in order to activate malicious code.

On the other hand, it shows the threat actors' continuous adaptation and innovation in finding new ways to attack users.

Learn more at Help Net Security.

Moscow OT Infrastructure Breached: the Lessons

Here we go again: A Public-Facing Vulnerability in Palo Alto Networks Firewalls

Supply chain attack against open source?

Ransomware accelerates the move to cloud services? The British Library case

The latest SEC cybersecurity incident disclosures - what's the result so far?

UnitedHealth ransomware attack - what's behind it?

Business Email Compromise (BEC), more costly than ransomware?

Latest Exchange vulnerability not serious, but a warning for customers

The Ivanti Blunder - Consider the Risks

Another Vulnerability, Another Scramble for Patching - This Time Fortinet