Threat Actors Respond To Microsoft Blocking Macros with New Email Tactics

By   ISBuzz Team
Writer , Information Security Buzz | Jul 28, 2022 09:14 pm PST

Cybersecurity researchers at Proofpoint have today released new research showing threat actors adopting new tactics in response to Microsoft’s announcements that it would block macros by default in Microsoft Office applications.

Threat actors have responded to Microsoft’s move by increasing their use of container files such as ISO, RAR and Windows Shortcut (LNK) files to distribute malware, in one of the largest email threat landscape shifts in recent history.

Key findings include:

·       Proofpoint has observed the use of VBA and XL4 Macros decrease approximately 66% from October 2021 through June 2022.

·       The use of ISO files has increased over 150% and the use of LNK files has increased a staggering 1,675% in the same timeframe. Such filetypes can bypass Microsoft’s macro blocking protections, as well as facilitate the distribution of executables that can lead to follow-on malware, data reconnaissance and theft, and ransomware.

·       These filetypes have been used by actors distributing Bumblebee malware, Emotet malware, as well as multiple cybercriminal and APT groups.

Please follow the link to review the full research: 

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Sherrod DeGrippo
Sherrod DeGrippo , Senior Director, Threat Research and Detection
July 29, 2022 5:16 am

Threat actors pivoting away from directly distributing macro-based attachments in email represents a significant shift in the threat landscape. Threat actors are now adopting new tactics to deliver malware, and the increased use of files such as ISO, LNK, and RAR is expected to continue.” 

Last edited 1 year ago by Sherrod DeGrippo

Recent Posts

Would love your thoughts, please comment.x