There's good and bad news about Microsoft's recent crackdowns on untrusted Office macros. The good is that it has curtailed the use of Office macros in emailed attachments or links. The bad is that attackers have just changed tactics, ramping up their use of .LNK Windows shortcut links.
According to security firm Proofpoint, ever since Microsoft clamped down on Office macros, attackers have switched to using container files such as ISO and RAR attachments and Windows Shortcut (LNK) files.
A key turning point in macro usage was in February, when Microsoft announced it would roll out a default block on internet-sourced Visual Basics for Applications (VBA) macros from April. That rollout plan was delayed until this week.
"The most notable shift in campaign data is the emergence of LNK files; at least 10 tracked threat actors have begun using LNK files since February 2022. The number of campaigns containing LNK files increased 1,675% since October 2021," Proofpoint notes.
SEE; What, exactly, is cybersecurity? And why does it matter?
Email attachments with malicious macros decreased approximately 66% between October 2021 and June 2022, according to Proofpoint.
The uptake of .LNK files by threat actors was occurring before February because Microsoft's macro crackdowns started years ago.
Abusing Office macros — a script in Word or Excel files that automate repetitive tasks like monthly accounting — is a useful technique for attackers since it's not a flaw that can be patched and instead relies on tricking employees into enabling a capability most people don't need.
Microsoft's latest crackdown, which rolled out this week, was to make Office apps, by default, block VBA macros in all attachments or links in email received from the internet. This cut out the need for admins to configure domains to block untrusted VBA macros and makes it more difficult for users to enable macros after trickery.
Since 2016, Microsoft has gradually imposed more restrictions on running macros. Back then it said 98% of Office-targeted threats use macros. In January, it also disabled Excel 4.0 macros (XLM) macros by default. XLM was added to Excel in 1992 but is still used even though VBA superseded it in 1993.
In 2018, Microsoft gave antivirus vendors a way to integrate with Office to inspect files for malicious VBA macros. It added XLM macros to that antivirus interface in March because attackers had started using XLM in response to its prior VBA macro crackdown.
"While more rudimentary than VBA, XLM is powerful enough to provide interoperability with the operating system, and many organizations and users continue to use its functionality for legitimate purposes. Cybercriminals know this, and they have been abusing XLM macros, increasingly more frequently, to call Win32 APIs and run shell commands," Microsoft explained at the time.
XLM, also referred to as XL4, was adopted BY professional malware gangs behind the multipurpose Emotet malware. Again, XLM's use correlated with the timing of Microsoft's move to block these macros and let antivirus vendors inspect Office files for these scripts.
"XL4 macro use spiked in March 2022. This is likely a result of TA542, the actor delivering the Emotet malware, conducting more campaigns with higher volumes of messages than preceding months. Typically, TA542 uses Microsoft Excel or Word documents containing VBA or XL4 macros. Emotet activity subsequently dropped off in April and it began using additional delivery methods including Excel Add In (XLL) files and zipped LNK attachments in subsequent campaigns," Proofpoint notes.