Microsoft Office Macros Still No. 1 Malware Delivery

A recent blog post found that the macro remains the email attachment of choice for delivering malicious payloads. Of all the mechanisms analyzed, 45% of attackers used these documents to delivery malicious macros, including Geodo, Chanitor, AZORult and GandCrab.

According to researchers, the macro is a top choice because it either is enabled on a machine or only requires a single mouse click to be enabled. “This makes it almost trivial to launch the first stage of an infection chain,” Cofense wrote.

It is often the case that the Microsoft Office macro feature is enabled by default, leaving users completely unaware that there were any problems with opening the document. Yet researchers noted that even with appropriate protections in place, users only see a warning that can be dismissed with one click.

“Abuse of this feature can be easily mitigated by disabling macros enterprise-wide. However, macros do have legitimate and valuable usage, upon which many businesses rely. To help reduce the attack surface introduced by this feature, businesses have some option,” Cofense wrote. While a blanket policy of blocking documents at the gateway is the most effective solution, these strict policies can hinder user productivity.

Defending against phishing attacks is further complicated by social engineering tactics. Additional findings from a FireEye study, which revealed that one in every one hundred emails represent a phishing or malicious email. Of those attempted email attacks, 90% are malware-less. The goal with malware-less attacks is to trick the user into sharing information about the company by impersonating a trusted source.

“Phishing has been around since the mid-to-late ’90s, and yet it’s still a significant problem as a direct effect of how successful it remains, even decades later. People are, and always will be, the weakest link,” said Thomas Pore, director of IT and services for Plixer.

“Social engineering will succeed, which means your organization is vulnerable. You must constantly monitor network traffic and digital communication to look for behavior anomalies. Operating the SOC under the assumption that you’ve already been infected puts you in a state of mind to stay diligent when network traffic behavior anomalies rise up. A combination of regular staff training, critical-asset tagging, patching and behavior anomaly detection is the foundation of a strong and successful security program.”