We discuss the threat of Microsoft Office “macro” delivered malware, how it works and how to avoid this type of attack.
One of the most common ways for cybercrooks to delivery malware payloads to a victim is through email. This is often done through standard email attachments, where the malware (or a file that will download malware) is attached to the email in the hope that the recipient opens it and infects their device.
The type of malicious email attachment can vary. In the early days of cybersecurity, a criminal could attach a piece of malware directly to an email which would infect a device as soon as it was opened by the recipient. However today that’s harder to do, since the attachment will likely be flagged as malware by security software on the recipient’s device, or by their email company or webhost, and consequently blocked.
This means criminals need to mask their malware attachments in some way to evade security software. One way to do with is to compress it by putting it in a ZIP folder. Another way is to hide it in Microsoft Office documents that contain malicious macros, which is what we discuss here.
Macros are pieces of code that live inside a particular Microsoft Office document, such as an Excel file or a Word file. They can be created by anyone, and are designed to automate routine or repetitive tasks. They’re generally used by advanced or “power” Office users, such as company payroll teams who often work with very complex documents.
But because a macro in an Office document can be created by anyone, crooks can also use them to create their own malicious Office documents. In these cases, while the macro itself isn’t likely to be “turned” into malware, a macro can be used to download malware from the Internet.
The diagram above describes how a typical macro delivered malware attachment would work.
As such, crooks can weaponize Microsoft Office documents with malicious macros and send them as attachments to unwary recipients.
Sponsored Content. Continued below...
Because Microsoft Office and their use of macros can be exploited in such a way by cybercrooks, Microsoft disabled the use of macros by default. This means in order for a macro-delivered malware attack to successfully infect a device, a victim needs to not only open a malicious Office document, but also to enable macros.
The would-be victim is asked if they want to do this as soon as they open an Office document. Below are some variants on the dialog bar that asks a user to enable macros.
If a user enables “content” (i.e. macros) then this is sufficient for a device to become infected with malware, presuming the victim’s security software does not detect the incoming malware payload.
There are two points in which this type of scam can easily be avoided by a would-be victim.
Firstly, don’t open the attachment. We always recommend avoiding email attachments unless you were expecting a specific type of email attachment from a specific sender at a certain time. If an email is unexpected – even if it appears to be from someone you know or trust – don’t open the email attachment. This approach will protect you from all types of malicious email attachments, not only booby-trapped Office documents.
Secondly, don’t enable macros in an office document unless you know exactly what those macros are for and you trust the sender of the document. If you were not expecting the Office document or are not sure of its legitimacy, never enable macros (content) as this allows the document to download malware.
Of course, as a final barrier against infection, we always recommend installing good, reliable security software and to run full scans regularly. Click here for our recommendations.
Sponsored Content. Continued below...
Cybercrooks know that it is unlikely that an email recipient isn’t likely to open an email attachment and then enable content unless they can be tricked into doing so. And this is where social engineering comes in.
Crooks will use a variety of techniques to lure recipients into opening attachments and enabling macros. Look at the below example that shows a scam email and then what a user sees when they open the attached Word document.
On the left is an email containing the attachment and on the right is the Word document attachment when opened.
There are two social engineering techniques here. First the initial email asks the recipient to open a potentially important bill related document. This is to lure a victim into opening an email attachment.
The second social engineering trick here is to claim the recipient cannot read the attachment until they enable macros (content) so the document can “adjust” to the recipient’s version of Word. This is to lure a victim into enabling macros, and this is the final step to infecting a device with malware.
Other common social engineering tricks include the claim a recipient has an invoice or receipt for a purchase, a voice message, they’re due tax rebates or refunds or they’re the subject or a complaint, fine or arrest warrant.
Whatever the tricks used, if you don’t open email attachments and never enable macros in Office documents, this particular attack method will not be successful.
For more information on malicious email attachment scams, read our post here.