Threat Awareness – Microsoft’s Default Blocking of Macros Creates Threat Actor Shift to LNK Files

Cisco Talos posted a blog covering its research into threat actor activity in the aftermath of Microsoft’s July 2022 action of blocking all VBA macros by default in documents downloaded from the internet. This action mitigated a common technique frequently used by attackers to gain access to networks and devices. After tracking the tactics of established malware gangs, Talos researchers observed that malicious LNK files have become a popular alternative. LNK files, most commonly recognized as “shortcuts,” contain information that can be used by the operating system or applications to access other system objects. Talos has documented multiple tools that attackers are using and discusses how these tools leave artifacts that network defenders can use to detect malicious LNK files. Read more at Cisco Talos.