Threat Actors Respond To Microsoft Blocking Macros with New Email Tactics

Cybersecurity researchers at Proofpoint have today released new research showing threat actors adopting new tactics in response to Microsoft’s announcements that it would block macros by default in Microsoft Office applications.

Threat actors have responded to Microsoft’s move by increasing their use of container files such as ISO, RAR and Windows Shortcut (LNK) files to distribute malware, in one of the largest email threat landscape shifts in recent history.

Key findings include:

·       Proofpoint has observed the use of VBA and XL4 Macros decrease approximately 66% from October 2021 through June 2022.

·       The use of ISO files has increased over 150% and the use of LNK files has increased a staggering 1,675% in the same timeframe. Such filetypes can bypass Microsoft’s macro blocking protections, as well as facilitate the distribution of executables that can lead to follow-on malware, data reconnaissance and theft, and ransomware.

·       These filetypes have been used by actors distributing Bumblebee malware, Emotet malware, as well as multiple cybercriminal and APT groups.

Please follow the link to review the full research: https://www.proofpoint.com/us/blog/threat-insight/how-threat-actors-are-adapting-post-macro-world 

Subscribe
Notify of
guest
1 Expert Comment
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Sherrod DeGrippo
Sherrod DeGrippo , Senior Director, Threat Research and Detection
InfoSec Expert
July 29, 2022 5:16 am

Threat actors pivoting away from directly distributing macro-based attachments in email represents a significant shift in the threat landscape. Threat actors are now adopting new tactics to deliver malware, and the increased use of files such as ISO, LNK, and RAR is expected to continue.” 

Last edited 4 months ago by Sherrod DeGrippo
1
0
Would love your thoughts, please comment.x
()
x