Dive Brief:
- Threat actors are increasingly distributing malware via container files, including ISO and RAR, as well as Windows shortcut files (LMK), following prior decisions by Microsoft to block macros by default in Microsoft Office, according to Proofpoint research released Thursday.
- Microsoft previously disclosed plans to block XL4 and VBA macros in Office by default in October 2021 and February, respectively.
- Proofpoint researchers said the use of VBA and XL4 macros fell by 66% between October 2021 and June of this year. The researchers call the movement one of the “largest email threat landscape shifts in recent history.”
Dive Insight:
The Proofpoint findings mark the latest twist in an ongoing conversation about how Microsoft has managed threats targeting its widely used enterprise platforms, which millions of corporate workers and others rely on to conduct essential business functions.
Last week, Microsoft resumed default blocking after temporarily suspending the rollout in early July. The company updated changes to its end user and IT administrator documentation to make it easier for customers to know what options were available.
Microsoft blocks VBA macros based on a Mark of the Web (MOTW) attribute, which shows whether a file comes from the internet - that is known as the Zone Identifier, according to Proofpoint. When certain documents are downloaded, Microsoft adds these to the file.
However, a red teamer or a threat actor can bypass MOTW by using container file formats, according to Proofpoint.
In 2020, a firm called Outflank demonstrated how MOTW can be bypassed when doing penetration testing.
Criminal threat actors are increasingly using ISO and LNK files for initial access in campaigns, to distribute Bumblebee malware for example, according to Proofpoint.
Since February 2022, Proofpoint researchers have tracked at least 10 threat actors using LNK files. Overall, the number of campaigns using LNK files has risen 1,675% since October 2021, according to Proofpoint.
