In response to Microsoft's announcement to block XL4 and VBA macros by default in Microsoft Office applications, Proofpoint highlights how threat actors have begun to adopt new techniques of action
Sherrod DeGrippo, Vice President, Threat Research and Detection at Proofpoint If Microsoft recently announced that it will block the execution of VBA and XL4 macros present in Office documents downloaded from the Internet to ensure greater security, the response of cybercriminals was not long in coming. Threat actors have reacted by abandoning macro-based threats by adopting new tactics, techniques and procedures (TTPs). Based on the threat analysis of Proofpoint's campaigns, which include both those analyzed manually and those contextualized by the researchers, from October 2021 to June 2022, the use of macro documents attached to messages to spread malware was reduced by about 66%, with an increase in the use of container files, such as ISO and RAR attachments and Windows link files (LNK). "The abandonment by threat actors of the direct distribution of macro-based attachments in emails represents a significant change in the threat landscape. They are adopting new tactics to distribute malware, and the increase in the use of files such as ISO, LNK and RAR is expected to continue," said Sherrod DeGrippo, Vice President, Threat Research and Detection at Proofpoint. VBA macros are used by threat actors to automatically execute malicious content when the user has actively enabled macros in Office applications. XL4 macros are specific to the Excel application, but can be used by cybercriminals as malware vectors. Typically, threat actors who distribute macro-enabled documents rely on social engineering to convince the recipient that the content is important and that macros must be enabled to view it.