What's next in the threat landscape - VMRay

What’s next in the 
Post-macro threat landscape

From macros to Shell Link (lnk) files: how attackers are responding to Microsoft’s blocking for Office macros

Understanding the changing tactics:  
Macros blocked, new threat vectors arise

The blocking of macros and Excel 4.0 by Microsoft has significantly impacted the threat landscape, leading to a notable shift in tactics and techniques employed by threat actors. Previously, phishing emails leveraging malicious macros were commonly used to infiltrate networks.

However, with the new security measures in place, threat actors are adapting their strategies. This has resulted in a substantial change in the email threat landscape.

The file formats for attackers:  
Before and after the blocking of macros

Traditionally, threat actors distributed macro-infected Office documents and phishing emails, attempting to entice users into enabling macros. Now, in an effort to bypass these protections, they are leveraging alternative file formats such as ISO, Rar, and Zip files. Additionally, formats like Windows Shortcuts, DLLs, and executables are being utilized. Studies conducted by Proofpoint and SentinelOne support these findings, highlighting the shift away from macro-enabled documents to container files and Windows Shortcut files for malware delivery.

Our own research at VMRay aligns with these industry observations. We have observed a decrease in malicious documents with macros, while there has been a significant increase in Shell Link files. While macro threats still persist, the shift in trends is evident when examining the data on a logarithmic scale. Specifically, we have seen a 79% decrease in Microsoft Office macro documents, while the use of shell link files for attacks has increased nearly tenfold

The evolving threat landscape underscores the importance of staying vigilant and adapting security measures to address emerging threat vectors. As threat actors adjust their tactics, organizations must remain proactive in their defense strategies, continually monitoring and mitigating risks associated with evolving file formats and attack techniques.

Course home page: 
Threat Hunting in the post-macro world

Chapter 9: 
What are LNK files, and how do attackers use them?

See VMRay in action.
Start threat-informed hunting with VMRay

Further resources


Watch the full recording of our webinar delivered at SANS Solutions Forum


Explore how you can benefit from VMRay’s capabilities for Threat Hunting



Learn the features and benefits that make DeepResponse the best sandbox.

Calculate how much malware false positives are costing your organization:
Malware False Positive Cost Calculator