Up to date protection against Office suite documents with hidden macros

Using macros to propagate ransomware and other malware

Anyone who hasn't been living under a rock knows that spammers love to exploit Microsoft Office macros in order to infect their prey's networks with ransomware or other equally pleasant stuff. The typical modus operandi looks something like this: you receive an email asking for a quote that appears to have been sent by a client. Attached is a .doc document containing macros that are set to run automatically. The deed is done and your PC or network is infected!

When spammers first realized that they could leverage Microsoft Office documents with macros to launch malware because macros actually contain executable code, this propagation method quickly became widespread. ZEROSPAM reacted by adding antiviral signatures for these documents and by developing filtering heuristics to recognize them. All pre-2007 Microsoft Office documents with macros sent with messages that our systems could correlate with known malware campaigns were recognized and blocked. To offer additional protection against zero-day threats, blocking of all pre-2007 Office documents containing macros was enabled in Cumulus, our client interface. This box can be unchecked if your organization needs to receive legitimate old versions of Microsoft Office files with macros (most likely Excel files). It will avoid false positives but the ZEROSPAM heuristics and signatures will still protect you from known campaigns using old macros. You can also whitelist .xls files in the Cumulus File Extension Whitelist.


Why pre-2007?

The choice to only address pre-2007 documents stems from Microsoft’ decision to change their file formats and extensions as of Office 2007. From there on, Word documents without macros became .docx and Word documents with macros became .docm. The same logic was applied to PowerPoint and Excel documents. This made the executable nature of the document more visible to the end user. Spammers weren’t crazy about that so they tended not to use them for their malware campaigns.


What changed?

Our team recently noticed that some spammers were renaming post-2007 Office files to hide the fact that they contained macros. For instance, a .docm file would be renamed .doc. Normally, that wouldn’t be a problem because a standard install of Microsoft Office will detect this mismatch and not allow the file to be opened. However, what spammers appear to have realized is that many organizations override this standard policy and allow macros to be executed even if the file type and file extension don’t match.

This method was recently used in a dangerous malware campaign where spammers inserted themselves and in an email conversation. The bad guys had already infected either the sender or the recipient’s email and had complete access to their messages. They replied to a legitimate email from that conversation using a generic message and a .docx attachment renamed .doc. Since this was part of a an on-going email thread with a legitimate correspondent, the recipient was caught totally off-guard and opened the attachment.


ZEROSPAM leverages it’s advanced detection to provide better protection

ZEROSPAM's banned file detection is based on the file type instead of the extension, which is determined by the first few bytes of a file. Otherwise, spammers could simply rename their executable payload so the attachment would go undetected. Since this ability was preexistent in our systems, within days of discovering this new threat, the ZEROSPAM team had created a new category of banned attachments to block Microsoft Office files containing macros with mismatched extensions names. It’s in the Cumulus Parameters under Banned Categories and is called Microsoft Office Mismatch Macro version. This new banned category is enabled by default for all new and existing customers as it is hard to imagine a legitimate reason to hide the true nature of an attachment.


Banning ALL macros is also possible

For those organizations who decide documents with macros sent by email are an evil thing, ZEROSPAM also added the possibility to ban them all. To do so, you need to go to the Parameters page in Cumulus, click on the Edit link in the Banned Categories section and then check the Microsoft Office 2007 Macros box. If the Pre-2007 Microsoft Office macros box is also checked, you are now fully protected against all Microsoft files containing macros.


An agile vendor is your best defense

Spammers are always on the lookout for new way to abuse email and infiltrate your inbox. Using an agile Anti-Spam provider such as ZEROSPAM is your best bet to keep on top of any and all emerging threats.