Weaponized Microsoft documents were a highly favored technique until Microsoft put the kibosh on macros in files received from the internet last year. As such, WaterISAC been tracking the various tactics threat actors have migrated to. According to Proofpoint, Microsoft’s action has resulted in a monumental shift in activity and threat behavior over the last year in a way not previously observed by threat researchers. With email arguably being the most widely used platform across every organization and threat actors’ propensity to use phishing to gain initial access, it’s important for defense teams to maintain awareness of the rapidly changing techniques used to proliferate malware since Microsoft’s blocking of macros.
Although the disabling of macros only affects Office on devices running Windows, threat actors have widely pivoted to other methods that don’t rely on macros to run malicious code such as ISO and ZIP files packaging malicious LNK or script files to execute initial payloads. Likewise, some malware families have clung to Office documents that don’t require macros. Most notably, Emotet, Qakbot/Qbot, and IcedID have been using malicious OneNote files to distribute malware. Additionally, Emotet has also been attaching very large ZIP files to bypass Microsoft security restrictions and deliver Office documents which then prompt users to “Enable Content” allowing malicious macros to run and distribute the malware. In a recent report, Proofpoint takes a much deeper look at techniques such as HTML smuggling, malicious PDF usage, and the OneNote explosion. The report covers some of the most prolific groups using these initial access tactics such as various Qakbot affiliate threat actors and IcedID. Access the report at Proofpoint.
Additional WaterISAC reporting regarding alternative tactics to macros:
- DHS Report on Threat Actors Exploiting OneNote to Deliver Qakbot and IcedID Malware
- Cyber Resilience – How to Block Microsoft OneNote Files from Delivering Malware
- Threat Awareness – Qbot Malware Propagating via Email Hijacking
- Threat Awareness - Use of Microsoft OneNote to Spread Malicious Payloads Rising
- Threat Awareness – Black Basta Ransomware Employs Qakbot in Latest Attack Chain
