Malware News Microsoft Office Macros Are Behind 45% of All Delivered Malware Payloads

Bot

AI-powered Bot
Thread author
Verified
Apr 21, 2016
3,321
microsoft-office-macros-are-behind-45-of-all-delivered-malware-payloads-522759.jpg
While analyzing the delivery mechanisms used by threat actors during August 2018, Cofense Intelligence found that Microsoft's Office macros account for almost half of all malware payloads delivered to targets.

As explained in their analysis, bad actors tend to use Microsoft Office macros as the first stage of infection chains and as the primary way of delivering malicious programs in about 45% of security incidents.

Office macros are one of the favorite tools attackers employ to deliver malware because on most computers running Microsoft Office the Office macro feature is enabled by default, while in organizations which have more strict security policies and the feature is disabled, end users can dismiss it with a mouse click.

The almost unnoticeable way Microsoft Office alerts users of a possible threat and the trivial method of bypassing suc... (read more)

Read more: Microsoft Office Macros Are Behind 45% of All Delivered Malware Payloads
 
E

Eddie Morra

Office VBA support has been in AMSI for a very long time - accessible through a registry hack - and Cylance were the first to document it as far as I know (a lot of kudos to them from me).

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Security -> MacroRuntimeScanScope (DWORD) -> 2 (00000002).

Obviously, none of this was in the public documentation for AMSI over on MSDN (therefore this is "undocumented"); Microsoft are happy to boast about AMSI and push it with all their Windows Defender blogs but cannot be bothered to provide proper documentation on it.
 
E

Eddie Morra

The fact that Microsoft has allowed Office to be so weaponized is inexcusable.
In all fairness, Microsoft did implement Attack Surface Reduction (ASR) with Windows Defender, and it does work quite well when used properly. The documentation for it on MSDN isn't *as bad* as other things, they did take more time with that one. Always room for improvement though.

But I agree with you, and... let's remember PowerShell and WMI as well. :rolleyes::cautious:
 
  • Like
Reactions: upnorth
L

Local Host

Office VBA support has been in AMSI for a very long time - accessible through a registry hack - and Cylance were the first to document it as far as I know (a lot of kudos to them from me).

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Security -> MacroRuntimeScanScope (DWORD) -> 2 (00000002).

Obviously, none of this was in the public documentation for AMSI over on MSDN (therefore this is "undocumented"); Microsoft are happy to boast about AMSI and push it with all their Windows Defender blogs but cannot be bothered to provide proper documentation on it.
There's a difference between work-in-progress and a release.

Microsoft has many more hidden settings and APIs which are work in progress, so you're going to claim they were already there when Microsoft announces it?
 
5

509322

It makes me laugh because a lot of people get bent out of shape if a security solution doesn't block an Office macro infection... meanwhile, the person who is getting bent out of shape about it very often doesn't even use Office (because they don't want to pay) - so that person isn't even susceptible to macro infections.

Such is the nonsense.
 
5

509322

Obviously, none of this was in the public documentation for AMSI over on MSDN (therefore this is "undocumented"); Microsoft are happy to boast about AMSI and push it with all their Windows Defender blogs but cannot be bothered to provide proper documentation on it.

This is atrocious Microsoft\Windows documentation and applies to every single facet of Microsoft's products. I know we all just love spending hours, sometimes days, sometimes weeks trying to find answers to Microsoft's products.
 
  • Like
Reactions: Deleted member 178
E

Eddie Morra

There's a difference between work-in-progress and a release.
What about JavaScript and VBScript support for AMSI scanning that has been talked about for years on the Windows Defender blog posts? There's no public documentation on that either.

The whole thing is a troll for people who want to make use of the technology for real-time scanning in their solutions when they do not have insider knowledge or are apart of one of the partner programs which would provide more support on these topics. In that case, what is the point in any public documentation? It's so small, it's ridiculous.
 
5

509322

There's a difference between work-in-progress and a release.

Microsoft has many more hidden settings and APIs which are work in progress, so you're going to claim they were already there when Microsoft announces it?

If it's in the product, then it is released. That's how it works.

Yep.
 

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
You have to love the Internet as a source of truth! seems that the Softpedia author did not think that the original article was Alarmist enough so did a bit of paraphrasing to scare you:

From the Softpedia article:

because on most computers running Microsoft Office the Office macro feature is enabled by default

But when you read the original article (Microsoft Office Macros: Still Your Leader in Malware Delivery - Cofense) you read this: "Depending on a business’s IT environment, the Microsoft Office Macro feature could be enabled by default".

In other words only those Enterprise folks who specifically enable macros by setting this option- "Enable all macros (Not recommended; potentially dangerous code can run)" AND do not bother to have adjunct protection in place would be at risk.

The typical Home user that does not use macros (and probably has no clue where this setting is) will leave the default setting of "Disable all macros with notification" in place and would be unaffected.
 
L

Local Host

What about JavaScript and VBScript support for AMSI scanning that has been talked about for years on the Windows Defender blog posts? There's no public documentation on that either.

The whole thing is a troll for people who want to make use of the technology for real-time scanning in their solutions when they do not have insider knowledge or are apart of one of the partner programs which would provide more support on these topics. In that case, what is the point in any public documentation? It's so small, it's ridiculous.
And it should remain that way, this is not something for anyone to go mess about and trying to find work-around on top. Only developers who proven themselves have access to that sort of information, and they're the only ones who can use it properly either way.

Lazy developers would just fail to use the feature set properly, we've seen over the years with other Microsoft APIs. Most AV Developers fail to optimise and use their own APIs, leave alone use others APIs.

This type of macros don't affect Home Users generally as well, so the information ends up reaching the market that matters.
You have to love the Internet as a source of truth! seems that the Softpedia author did not think that the original article was Alarmist enough so did a bit of paraphrasing to scare you:

From the Softpedia article:



But when you read the original article (Microsoft Office Macros: Still Your Leader in Malware Delivery - Cofense) you read this: "Depending on a business’s IT environment, the Microsoft Office Macro feature could be enabled by default".

In other words only those Enterprise folks who specifically enable macros by setting this option- "Enable all macros (Not recommended; potentially dangerous code can run)" AND do not bother to have adjunct protection in place would be at risk.

The typical Home user that does not use macros (and probably has no clue where this setting is) will leave the default setting of "Disable all macros with notification" in place and would be unaffected.
Softpedia is in the middle ground for me, they either are BIAS or lack Knownledge with their Microsoft/Windows news.
 
5

509322

You have to love the Internet as a source of truth! seems that the Softpedia author did not think that the original article was Alarmist enough so did a bit of paraphrasing to scare you:

From the Softpedia article:



But when you read the original article (Microsoft Office Macros: Still Your Leader in Malware Delivery - Cofense) you read this: "Depending on a business’s IT environment, the Microsoft Office Macro feature could be enabled by default".

In other words only those Enterprise folks who specifically enable macros by setting this option- "Enable all macros (Not recommended; potentially dangerous code can run)" AND do not bother to have adjunct protection in place would be at risk.

The typical Home user that does not use macros (and probably has no clue where this setting is) will leave the default setting of "Disable all macros with notification" in place and would be unaffected.

Because the IT security news is a cesspool of click-bait garbage and just plain atrocious journalism. In fact, most of the people who create these articles (or more often copy them from an original source and re-post) are not journalists. So they have no concept of journalistic ethics. The sole guiding factor is to generate site traffic. This is nothing new. It is common knowledge.
 
Last edited by a moderator:
5

509322

And it should remain that way, this is not something for anyone to go mess about and trying to find work-around on top. Only developers who proven themselves have access to that sort of information, and they're the only ones who can use it properly either way.

That is not correct. For example, Microsoft doesn't enable PUP detection in Windows Defender on Home. You don't need to be a programmer to enable\disable functionality. Doing so isn't going to break anything. Microsoft is notorious for this sort of thing.

If it is in the product, then it is released. There is no entitlement or differentiation between whether it is a user or a "developer" making the tweaks. If Microsoft doesn't want people to have access, then they shouldn't ship it with the product.
 
5

509322

Sadly far too many take a published article and drivel like PC Mag reviews as the Word of God.

Really ? I know a developer who thinks that PCMag and Rubenking are absolutely awesome. That their review is actually something meaningful. He actually thinks that PCMag reviews are bona fide 3rd-party testing that satisfies legal and certification standards. Really... I cannot make this up.
 
  • Like
Reactions: cruelsister
5

509322

The fact that Microsoft has allowed Office to be so weaponized is inexcusable.

They can offer a version with the VBA and other abusable, but unneeded, garbage ripped-out (Kingsoft does). But you know how Microsoft is... all their products are shipped as general versions so they can use them across the entire spectrum with ease.
 
  • Like
Reactions: Eddie Morra
F

ForgottenSeer 58943

It makes me laugh because a lot of people get bent out of shape if a security solution doesn't block an Office macro infection... meanwhile, the person who is getting bent out of shape about it very often doesn't even use Office (because they don't want to pay) - so that person isn't even susceptible to macro infections.

Such is the nonsense.

This is the key. Usually - I find - consumers don't use things like Adobe and Microsoft Office. Openoffice, WPS and Libreoffice are far more common from what I have seen. In fact, we just assisted with a project for a rather large firm using Openoffice. Also keep in mind the migration from SBS/Exchange over to 365, and the vast majority of those users will be using the web apps, which virtually eliminates the threat vector from these things.

I'm actually questioning the validity of even testing such threats anymore.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top