Threat actors are embedding macro-enabled Office documents in container files such as archives and disk images to circumvent a recently rolled-out macro-blocking feature in Microsoft Office.
Initially announced in February, the macro-blocking feature is meant to prevent phishing attacks by making it more difficult for users to enable macros in documents received from the internet.
Small snippets of code embedded in Office documents, macros have long been abused by threat actors in phishing attacks and for malware delivery.
In 2016, Microsoft disabled the automated execution of macros in Office documents received from the Internet, but has allowed users to enable them with a single click.
Adversaries have been using various social engineering techniques to trick users into enabling the macros, and Microsoft in February announced a new mechanism to block macros by default in documents received from the internet.
A red notification at the top of the page warns users that macros have been blocked and, if clicked on, takes them to a web article explaining the risks associated with malicious macros.
Currently rolling out to Access, Excel, PowerPoint, Visio, and Word on Windows, the feature essentially stamps these documents with a “Mark Of The Web” (MOTW) that can be removed if the user saves the document to the local disk.
To circumvent the mechanism and ensure the immediate execution of the embedded macros, threat actors are now delivering Office documents inside container file formats such as IMG (.img), ISO (.iso), RAR (.rar), and ZIP (.zip), Proofpoint warns.
“When downloaded, the ISO, RAR, etc. files will have the MOTW attribute because they were downloaded from the internet, but the document inside, such as a macro-enabled spreadsheet, will not,” Proofpoint explains.
While the user would still have to enable macros in the extracted document, the system will no longer see the document as coming from the internet, and will not apply the highest level of protection.
Container files have also been used to distribute payloads directly, including shortcut files (.lnk), DLLs, and executables (.exe) that allow for the direct installation of malware.
Between October 2021 and June 2022, Proofpoint has observed a sharp decrease in macro-enabled documents delivered as email attachments, but noticed a massive increase in the use of ISO, RAR, and LNK files during the same timeframe. The use of LNK files went up 1,675% since October 2021.
“Threat actors across the threat landscape are pivoting away from macro-enabled documents to increasingly use different file types for initial access. This change is led by the adoption of ISO and other container file formats, as well as LNK files. Such file types can bypass Microsoft’s macro blocking protections, as well as facilitate the distribution of executables that can lead to follow-on malware, data reconnaissance and theft, and ransomware,” Proofpoint concludes.