Home Latest News How Hackers are Bypassing Microsoft Office Macros Ban

How Hackers are Bypassing Microsoft Office Macros Ban


To deliver malware to systems, hackers are switching to new file types, including ISO, RAR and LNK (Windows Shortcut) attachments.

Last year, Microsoft announced blocking the XL4 (Excel 4.0) and VBA (Visual Basics for Applications) macros by default for the Office suite. Now that the company is implementing the changes, attackers have found a new way to bypass Microsoft’s move. Hackers are switching to new file types, including ISO, RAR and LNK (Windows Shortcut) attachments, to deliver malware to systems.

Macros are a series of commands grouped as one program to perform a task automatically. Now, XL4 and VBA macros are two small programs used to perform repetitive tasks in Microsoft Office. Hackers have actively used these two macros as threat actors for installing malware on a system via malicious documents downloaded from the internet or phishing mail.

The latest report from Proofpoint reads “The use of macro-enabled attachments by threat actors decreased approximately 66% between October 2021 and June 2022,”

The enterprise security firm calls it “one of the largest email threat landscape shifts in recent history.”

Microsoft made the announcement last year, but it took them a long time to implement the changes. Microsoft blocked the macros last month, but hackers have been turning away from the Office macro attacks as they use new types of files as payloads. The report reads, “Threat actors are now adopting new tactics to deliver malware, and the increased use of files such as ISO, LNK, and RAR is expected to continue.”

The use of ISO, RAR and LNK files to deliver the malware has increased by 175 per cent in the same period, and it is expected to grow further. Attackers have been using the new methods to deliver malware from Emotet, IcedID, Qakbot, and Bumblebee families. The adoption of the LNK file has risen significantly; the number of campaigns has increased by 1675 per cent since October 2021, becoming one of the most used threat actors, being used by ten individual threat groups.

Proofpoint researchers said “As for getting intended victims to open and click, the methods are the same: a wide array of social engineering tactics to get people to open and click. The preventive measures we use for phishing still apply here,”

Recommended for You

Recommended for You

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Close Read More

See Ads