In 1999, the Melissa virus wreaked havoc all over the world by delivering a malicious macro via email attachment. After a decade of quiet, macro malware is making a comeback, with victims ranging from small business to enterprises.
Macro malware spreads through infected Microsoft Office documents. Attackers send infected documents via email, either as attached files or links to files hosted in trusted cloud storage services, like Dropbox and OneDrive. Once users download the files and enable macros, their local devices become infected. Although recipients can open infected files on multiple devices, they’re typically programmed to run malicious code on Windows devices only.
Doesn’t Office Disable Macros by Default?
Since Office 2010, Office apps ask the user’s permission before running macros. Office 365 Web apps like Word Online and Excel Online don’t run macros at all.
The key to getting recipients to download and run macros willingly lies in social engineering. For example:
- CareerBuilder. Attackers created their own candidate profiles on CareerBuilder and sent infected resumes to target companies that advertised job sites. CareerBuilder seemed like a trustworthy sender, so recipients downloaded the attachments and enabled macros containing Dridex malware.
- Phishing emails appearing to be from the U.S. Postal Service claimed difficulty with delivering a package. To get the details, recipients downloaded a document or clicked a link to a hosted document, which contained macro malware.
What Happens When Users Run Malicious Macros?
Most users open the infected document and enable macros, but nothing happens. Feeling suspicious, they delete the document, but the macro has already dropped its payload on their machines.
Most of today’s macro malware focuses on gathering information from machines, not on replicating through a network. Some macros drop persistent binary files that monitor Windows computers while others execute malicious routines using Windows PowerShell. The malicious programs sometimes communicate information back to remote servers, such as a user’s OS, OS version, device type, and privileges level. In some cases, they drop a keylogger to capture sensitive data, including usernames and passwords.
Is Windows 10 Safer?
Some features of Windows 10, including Passport and Windows Hello, thwart keyloggers by giving users access without requiring usernames and passwords. Device Guard, which blocks applications from non-whitelisted sources, does not protect devices from documents infected with macros.
No matter which version of Windows your organization uses, IT can take common sense steps to prevent harm from malicious macros:
- Set preventive policies. The best Internet security software enables you to block macros from external sources or sandbox incoming Office files. You should also set desktop antivirus software to scan even encrypted macros before executing.
- Monitor for the presence of malware. Watch for large quantities of new files come through your email servers in old document formats, like .doc or .xls. Also, monitor for the presence of files, applications, or devices calling out to Tor and Polipo.
- Disable PowerShell and Windows Script Host (WSH)…if you’re desperate. PowerShell and WSH have great utility for admins. Some security companies recommend disabling them, but only do so under extreme circumstances.
Does Outlook Detect Malicious Macros in Attachments?
Outlook on the Web does block certain file types within attachments, but it considers Office documents safe. To avoid downloading documents with malicious macros, take these precautions:
- Preview all attachments. Take advantage of the Reading Pane to preview attachments. If the attachment isn’t relevant or seems suspicious in any way, don’t download the document.
- Upload email attachments to OneDrive. OneDrive scans uploaded attachments for known threats. Save documents into OneDrive’s email attachment folder from Outlook on the Web.
- Avoid enabling macros from unknown sources. Unless you’re expecting a document from an external party that you trust, never enable macros within email attachments.
- Stop sharing documents via email attachment. Make a habit of sharing documents through OneDrive or team sites. When using the email attachment process becomes less common within your organization, it’s easier to spot suspicious documents.
- Open documents on the Web. In most cases, reading and editing documents doesn’t require advanced Office features. Process documents from external sources using Office Web apps, not your local computer.
How Can You Prevent Damage From Macro Malware?
Teach your employees to recognize the many faces of social engineering. Show samples of social engineering attacks, and then carry out drills to see how many workers get fooled.
Ultimately, your best weapons against macro malware are employees who know better than to open it. If they do enable macros in a suspicious document — as human beings sometimes do — make sure they report the incident to IT as soon as possible.
Windows Surface 2 image by Karlis Dambrans from Flickr Creative Commons.