Cybersecurity researchers at Proofpoint have today released new research showing threat actors adopting new tactics in response to Microsoft’s announcements that it would block macros by default in Microsoft Office applications.
Threat actors have responded to Microsoft’s move by increasing their use of container files such as ISO, RAR and Windows Shortcut (LNK) files to distribute malware, in one of the largest email threat landscape shifts in recent history.
Key findings include:
· Proofpoint has observed the use of VBA and XL4 Macros decrease approximately 66% from October 2021 through June 2022.
· The use of ISO files has increased over 150% and the use of LNK files has increased a staggering 1,675% in the same timeframe. Such filetypes can bypass Microsoft’s macro blocking protections, as well as facilitate the distribution of executables that can lead to follow-on malware, data reconnaissance and theft, and ransomware.
· These filetypes have been used by actors distributing Bumblebee malware, Emotet malware, as well as multiple cybercriminal and APT groups.
Please follow the link to review the full research: https://www.proofpoint.com/us/blog/threat-insight/how-threat-actors-are-adapting-post-macro-world
Threat actors pivoting away from directly distributing macro-based attachments in email represents a significant shift in the threat landscape. Threat actors are now adopting new tactics to deliver malware, and the increased use of files such as ISO, LNK, and RAR is expected to continue.”