After the Redmond giant’s decision to turn macros off, then on again, and now finally back off, it seems threat actors have already adopted alternative attack vectors to infect victims with malicious attachments. Prior to Microsoft’s decision, attackers favored spreading malware via phishing emails containing Office documents that executed when a macro was enabled. In a new report from Proofpoint, researchers tracked malicious campaigns between October 2021 and June 2022 and observed a shift to other methods of payload distribution. Specifically, threat actors use of archive and executable files such as ISOs, ZIPs, and RARs significantly increased. Moreover, the use of LNK files dramatically rose by 1,675 percent - threat actors behind Emotet and Qakbot are known to employ LNK files disguised as a Word document in their campaigns. Additionally, Proofpoint observed a large increase in the use of HTML attachments, with attackers employing the HTML smuggling technique to deliver a malicious file on the host system.

Microsoft’s decision to block macros by default should put a crimp in phishing attacks that rely on malicious attachments to infect victims. Where once it was relatively simple to trick a target into opening a recognizable Office document file type, users presented with less recognizable file types may not be so quick to click anymore. Members are encouraged to remind users to be wary of ALL attachments. Read more at BleepingComputer.