Dangerous Macros: how ZEROSPAM deals with them and protects your emails

Dangerous Macros: how ZEROSPAM deals with them and protects your emails

Macros. The ease of use and power they bring to the table means they are almost universally used by companies. Through them, a whole variety of actions can be performed to help productivity, for example automatically adding a serial number to a new worksheet, automatically changing the background of a cell, or providing a helpful link to export a document to PDF and save it to a pre-designated folder.



The dark side of the Macros

Unfortunately, the near-ubiquity of macros in a business setting has long been noticed by the spammer community as well. Spammers can design documents that at first glance might appear to be legitimate but once opened wreck all sorts of nastiness on the user’s workstation. How do they do this? Macros. Not all macros are created equal. Some, like those that add a serial number, only impact the working document. Other macros leverage more powerful features that interact directly with the computer, by writing data to the disk (like our PDF example) or by calling up another program.

It’s these last two types of macros that pose a major security risk. While they can be powerful productivity-enhancers, in the wrong hands their ability to write data to disk and execute external code become the means to hijack a computer. What’s more, macros can be set to auto-execute. This is another handy feature meant to help productivity but that can become terribly dangerous in the hands of a bad actor.

So now we have the final portrait of Dangerous Macros: macros that will auto-execute and that will also execute code and/or write to the disk. And that danger spells R-A-N-S-O-M-W-A-R-E. True, there are some legitimate use-cases, but so much ransomware is being sent using these macros that they should simply be banned.



ZEROSPAM's solution to Dangerous Macros

Email security providers have known for a long time that Microsoft Office documents, especially the versions prior to 2007 (when Microsoft started adding an m to the name of the extension to indicate the presence of a macro) were used to propagate ransomware. Many providers banned them entirely at that point. The problem is that many companies still use these old formats to send legitimate documents, so this behavior caused false positive problems. So how do you let legitimate documents with macros through and ban those with potentially dangerous macros?

ZEROSPAM has found the key. Microsoft Office documents containing macros will go through unless they meet the following 2 criteria: they auto-execute and also execute code and/or write to the disk. This way, the vast majority of legitimate documents still go through and spammers are robbed of their ability to do harm.

Recognizing whether documents containing macros are dangerous or not is the best way to make sure organizations are well protected and receive legitimate messages without constantly having to check their quarantines.