"Threat Actors Turn To QR Codes and Other Creative Techniques as Macros Are Blocked"
According to new research from HP Wolf Security, the blocking of macros by default in Microsoft Office has prompted threat actors to be more creative with their attacks. As a result, there have been increases in the delivery of malware via PDFs and ZIP files, as well as a rise in 'scan scams' using QR codes to trick users into opening links on mobile devices. Malware distributors such as Emotet have been observed attempting to bypass Office's stricter macro policy by using increasingly effective social engineering tactics. According to Alex Holland, senior malware analyst with HP Wolf Security's threat research team, the increase in scan scams, malvertising, archives, and PDF malware shows that attackers will always find a way to deliver malware. Therefore, users are advised to be wary of emails and websites that urge them to scan QR codes and provide sensitive information, as well as PDF files that include links to password-protected archives. Since October 2022, QR code scam campaigns have been observed by HP almost every day. They trick users into scanning QR codes from their computers with their mobile devices, possibly to exploit more inadequate phishing protection and detection on such devices. The QR codes then direct users to malicious websites requesting credit card information. Examples include phishing campaigns posing as parcel delivery companies asking for payment. In addition, there has been a 38 percent increase in malicious PDF attachments. Newer attacks avoid web gateway scanners by using embedded images that link to encrypted malicious ZIP files. The PDF instructions contain a password that the user is tricked into entering to unpack a ZIP file, which then deploys QakBot or IcedID malware to gain unauthorized access to systems. This article continues to discuss some methods that threat actors are using to work around Office's stricter macro policy.