Qbot Strikes Back: Adapting to Microsoft's Macro Blocking - VMRay

Qbot Strikes Back:     
Adapting to Microsoft’s Macro Blocking

Qbot operators adapted to Microsoft’s blocking of Office macros by devising alternative infection techniques such as HTML attachments, ISO and LNK files.

Adaptive techniques of Qbot: 
Overcoming Microsoft’s macro execution block

Qbot, a resilient and cunning malware family, has resurfaced with a new approach in response to Microsoft’s decision to block macro execution. After a period of inactivity, Qbot operators launched fresh attacks in September 2021, leveraging malicious Excel email attachments containing macros.

In February 2022, Microsoft announced its plan to block macro execution in popular Microsoft Office file types downloaded from the Internet. This move aimed to curb the widespread abuse of macros by threats like Qbot. By assigning a hidden value known as the “Mark of the Web” to files originating from the Internet, Microsoft aimed to enhance security.

Qbot operators wasted no time in adapting to this significant security measure. They quickly devised alternative infection techniques to bypass the Mark of the Web protection for Office files. Observations from Hornet Security revealed that Qbot spam emails now included HTML attachments, providing a stealthy method to avoid downloading additional files.

These HTML attachments were compressed zip files containing various file types, including ISOs, LNKs, and DLLs. The files were accessed sequentially, culminating in the execution of the main executable. Despite its intricate attack chain, this approach has proven effective for Qbot, demonstrating its ability to deceive users and evade detection.

As organizations face the evolving threat landscape, understanding the adaptive strategies of Qbot and other malware families becomes even more crucial.

Course home page: 
Converging Incident Response & Detection Engineering

Chapter 10: 
What is HTML smuggling and how Qbot uses this technique?

See VMRay in action.
Start maximizing value for
Incident Response & Detection Engineering

Further resources


Analysis of Qbot to enhance Detection Engineering

Watch the full recording from the our webinar at SANS DFIR Summit.


Explore how you can improve the efficacy of detection Engineering through VMRay.


Check the most advanced sandbox for analyzing malware and phishing.

Welcome to the playground.

Explore what you can do with VMRay.

Click on the yellow dots to check the report formats, see the overview, explore the network connections of the sample, malicious behavior, and relevant files, map the threat on MITRE ATT&CK Framework, analyze and download IOCs and artifacts.

The analysis report tabs are available both for VMRayDeepResponse and VMRayTotalInsight. The bundle of VMRay FinalVerdict and VMRayDeepResponse also offers access to the analysis report tabs.

We’re sorry. 

The interactive tour is not available on mobile devices.

Unveiling the power:
See our experts showcasing VMRay’s capabilities.

Analysis of a malicious file

Join Fatih Akar from the VMRay team as he provides a detailed walkthrough of a malicious LNK file, a prevalent attack vector since Microsoft’s Office macros block.

Gain valuable insights into each tab of our comprehensive analysis report and get a sneak peek into what you’ll be exploring.

Analysis of a malicious URL

Join Andrey Voitenko, an expert in advanced malware and phishing analysis from the VMRay team, as he demonstrates how to submit emails and URLs to the VMRay platform using built-in connectors.

Discover the capabilities of our new Automation Dashboard, enabling one-click automation with your existing EDR, SOAR, SIEM, and TIP tools. Monitor analysis data seamlessly from your VMRay dashboard and unlock new levels of efficiency in your security operations.

Integrating with existing tools

Watch Michael Bourton showcasing the seamless integration of VMRay platform with your existing security stacks.

Discover how effortlessly you can leverage unparalleled detection and analysis capabilities by utilizing dedicated connectors or our Rest API.

Experience VMRay in Action:
Explore Real-world Malware Analysis Reports

Get a firsthand look at the power and capabilities of the VMRay platform by delving into our sample malware and phishing analysis reports.

Immerse yourself in a range of report formats, providing comprehensive insights.

Dive into the overview, explore intricate network connections, analyze malicious behavior in detail, and map threats using the MITRE ATT&CK Framework. See the possibilities to download clear IOCs.

Uncover the capabilities that await you.

Calculate how much malware false positives are costing your organization:
Malware False Positive Cost Calculator