Understanding the changing tactics:
Macros blocked, new threat vectors arise
The blocking of macros and Excel 4.0 by Microsoft has significantly impacted the threat landscape, leading to a notable shift in tactics and techniques employed by threat actors. Previously, phishing emails leveraging malicious macros were commonly used to infiltrate networks.
However, with the new security measures in place, threat actors are adapting their strategies. This has resulted in a substantial change in the email threat landscape.
The file formats for attackers:
Before and after the blocking of macros
Traditionally, threat actors distributed macro-infected Office documents and phishing emails, attempting to entice users into enabling macros. Now, in an effort to bypass these protections, they are leveraging alternative file formats such as ISO, Rar, and Zip files. Additionally, formats like Windows Shortcuts, DLLs, and executables are being utilized. Studies conducted by Proofpoint and SentinelOne support these findings, highlighting the shift away from macro-enabled documents to container files and Windows Shortcut files for malware delivery.
Our own research at VMRay aligns with these industry observations. We have observed a decrease in malicious documents with macros, while there has been a significant increase in Shell Link files. While macro threats still persist, the shift in trends is evident when examining the data on a logarithmic scale. Specifically, we have seen a 79% decrease in Microsoft Office macro documents, while the use of shell link files for attacks has increased nearly tenfold
The evolving threat landscape underscores the importance of staying vigilant and adapting security measures to address emerging threat vectors. As threat actors adjust their tactics, organizations must remain proactive in their defense strategies, continually monitoring and mitigating risks associated with evolving file formats and attack techniques.
Course home page:
Threat Hunting in the post-macro world
What are LNK files, and how do attackers use them?