"Hackers Change Tactics for New Post-Macro Era"

Security researchers state that threat actors are moving away from macro-based attacks to other tactics, in one of the most significant shifts in the email threat landscape in recent history.  Microsoft, in October 2021, announced that it would soon block XL4 macros, which are specific to Excel.  Several months later, Microsoft said the same about VBA macros, which are used in Office applications.  The researchers noted that threat actors typically use social engineering to convince users they need to enable macros to view specific content.  The changes began to roll out this year, and the researchers saw an almost immediate reaction from the cybercrime community.  The researchers stated that the use of macro-enabled attachments by threat actors decreased by around 66% between October 2021 and June 2022.  However, ever-resourceful hackers have found a way to bypass Microsoft’s new rules to continue delivering malicious content to victims.  The researchers stated that Microsoft will block VBA macros based on a Mark of the Web (MOTW) attribute that shows whether a file comes from the internet.  However, MOTW can be bypassed by using container file formats.  Threat actors can use container file formats such as ISO, RAR, ZIP, and IMG files to send macro-enabled documents.  The researchers noted that threat actors can also use container files to distribute payloads directly.  When opened, container files may contain additional content such as LNKs, DLLs, or executable files that lead to the installation of a malicious payload.  The researchers stated that as a result, the number of malicious campaigns using container file formats surged 176% between October 2021 and June 2022.  The researchers noted that these attacks are mainly used for initial access.  

Infosecurity reports: "Hackers Change Tactics for New Post-Macro Era"