Dive Brief:

• Financially motivated hacking groups are employing new attack methods after Microsoft began to block macros by default in 2022, according to a report released by Proofpoint. 
• An attack method called HTML smuggling has risen sharply since June 2022, reaching an initial peak in October, then returning as a preferred method in February, according to Proofpoint. The method involves “smuggling” an encoded script within an HTML attachment and when the user opens the link a malicious payload is unloaded on the victim’s computer.
• The technique was initially employed by known threat actors TA570 and TA577, but after October was used in campaigns by other groups. Multiple groups, including initial access brokers, have been observed using PDF attachments to launch attacks since December 2022, with a spike in early 2023.

Dive Insight:

Microsoft previously announced steps in October 2021 and February 2022  to block XL4 and VBA macros by default, respectively.  Criminal groups had been using macros as initial access payloads to launch attacks. 

Proofpoint observed almost 700 campaigns using VBA macros in 2021, and nearly the same number of campaigns using XL4 macros. However, after Microsoft began blocking those macros, the use of either type dropped by two-thirds. 

By 2023, the use of macros barely showed up in any research data as threat actors began to shift tactics.

“Threat actors have begun using a variety of different file types in attack chains, and changing them up on a regular basis,” Selena Larson, senior threat intelligence analyst at Proofpoint, said via email.

Beyond HTML smuggling and PDF files, researchers have seen a spike in the use of OneNote files containing embedded scripts since early 2023, according to Larson.

Microsoft officials did not return a request for comment.