Chapter 6: Why can macros be dangerous

Scripting languages and macros: a potent combination

There are several key factors that have contributed to the success of this attack vector. One prominent reason is the ability to use scripting languages, such as macros, to execute arbitrary programs within Microsoft Office products.

This cross-platform compatibility enables malicious Excel documents, for instance,
to run on various Windows operating systems, making macros a versatile tool for cybercriminals.


Challenges faced by defenders against macro viruses

The complex program and data structures of scripting languages have posed significant challenges for defenders. Macro viruses presented a formidable task in terms of detection and mitigation, especially since Microsoft initially withheld crucial insights from antivirus companies in the early days.

With the source code embedded in every copy, customization and modification became effortless, allowing individuals with minimal expertise to create their own viruses. This lowered the entry barrier for conducting malicious acts.

Easy entry and widespread impact: the appeal of macro viruses

Another compelling aspect of macro viruses is their target-rich environment. Microsoft Office programs are ubiquitous across enterprise networks, making them an attractive avenue for attackers.

Exploiting the User Execution malicious file technique, adversaries capitalize on users’ actions by enticing them to click on seemingly innocuous files, triggering the execution of malicious code. Often delivered through spear phishing attacks, these files primarily comprise document types such as .doc, .pdf, .xls, .rtf, .scr, and .exe.

While these reasons shed light on the allure of macro malware, it’s essential to acknowledge that this list is not exhaustive. Attackers continuously adapt their tactics, and defending against macro-based threats remains an ongoing challenge. Stay informed and fortified against these dangers by leveraging the insights provided by the MITRE ATT&CK framework.