While it’s a norm for phishing campaigns that distribute weaponized Microsoft Office documents to prompt users to enable macros in order to directly trigger the infection chain, recent findings now show attackers are using non-malicious documents to disable security warnings prior to executing macro security code to infect victim’s computers.

The findings indicate attackers are able to manipulate the Office “Enable Content” script settings in order to completely bypass security warnings and give users the most convincing case possible that macros are disabled by policy. This likely is a smart tactic considering organizations routinely disable the Content Advisor security warning using a Group Policy or Registry edit, which could convince unsuspecting users that macros are disabled by the policy when they are not.

To learn more about this new attack vector, Canada-based Malwarebytes security researcher Christian Jardine found that the macros in question are typically used for data extraction. When enabled, macros open a remote command console for attackers that are in control of the macro security to automate actions such as file extractions. It’s possible attackers are seeking to use this new tactic for other reasons as well.

“If you are using Office 2007 or 2010 and have macros disabled by policy (Group Policy or Registry modification) then there is a chance malicious macros could be hiding within documents,” Jardine tells CyberScoop. “This is especially true if your machine is compromised via a phishing campaign. Malicious macros could be hiding within the documents to download additional malware.”

To find out if malicious macros were hidden within documents, Jardine analyzed over 300 document samples taken from a single phishing campaign in order to determine the script exploits. He discovered that over 90 percent of the documents contained at least one macro security code execution exploit, but in less than 5 percent of cases these macros were not abusing the “Enable Content” setting. Instead, they were able to bypass content warnings by disabling the security messages. By using the “Enable Content” setting, users could open an office application with content warnings disabled in Windows 7 and 8 environments. In all instances, both Windows 7 and 8 disabled any alerts for suspicious actions taken by macros when enabled.

To detect this malicious activity, Jardine created a simple Python script that was able to show whether or not the “Enable Content” settings were enabled in Word documents. Jardine says his script, which was not aimed to detect malicious macros but rather spot if any macros are embedded within documents, could be adapted by others to block macros in Office documents that don’t appear to be benign.

“The script itself is very basic and does not look or function like a regular macro,” Jardine says. “This is why it bypassed the detection attempts of most Office applications.”

Jardine’s findings are troubling because attacks leveraging this new attack vector would be extremely hard to detect, meaning both businesses and home users are at a much higher risk of infection than they may think. Additionally, Jardine says documents with malicious content would be more difficult to detect because the script could also be used for legitimate actions in workflow processes.

Office macros have been used for years for legitimate reasons, but in recent years attackers have started leveraging these scripts as part of infections that target organizations. In the past several years, macro infections have been used to spread ransomware and critical exploits such as Netplex, as well as the WannaCry and Petya outbreaks.

Jardine urges users and businesses to be careful about macros in Office documents, especially given the discovery that attackers are now using these scripts as part of a phishing campaign to deceive victims into enabling macros. “If you are using Office 2007 or 2010 and have macros disabled by policy (Group Policy or Registry modification) then there is a chance malicious macros could be hidden within documents,” Jardine says. “This is especially true if your machine is compromised via a phishing campaign.”

Interested in learning about other malware that could affect your business? Email Spoofing – Check Your Domain Security covers how malware can attack through email.

Liquid Video Technologies Logo, zero trust, Security, Video Surveillance, Greenville South Carolina, cybersecurity, Macro Security

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access ControlFire, IT consultant, or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.