Malicious actors are adapting their strategies, techniques, and procedures in response to Microsoft's move to automatically block Excel 4.0 (XLM or XL4) and Visual Basic for Applications (VBA) macros across Office programs (TTPs).
Malicious Microsoft Office document attachments sent in phishing emails often contain VBA and XL4 Macros, two short programs designed to automate repetitive processes in Microsoft Office applications that threat actors use to load, drop, or install malware.
Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, stated "the threat landscape has changed significantly as a result of threat actors shifting away from directly disseminating macro-based email attachments."
The change was made as a result of Microsoft's announcement that it will stop the widespread exploitation of the Office subsystem by making it more challenging to activate macros and automatically banning them by default.
New tactics
Use of ISO, RAR, and Windows Shortcut (LNK) attachments to get around the block has multiplied by 66%, according to security firm Proofpoint, which calls this activity 'one of the largest email threat landscape shifts in recent history.' Actors spreading the Emotet malware are also involved in this activity.
The use of container files like ISOs, ZIPs, and RARs has also increased rapidly, increasing by about 175 percent. These are rapidly being used as initial access mechanisms by threat actors, between October 2021 and June 2022, the use of ISO files surged by over 150 percent.
Since October 2021, the number of campaigns including LNK files has climbed by 1,675%. Proofpoint has been tracking a variety of cybercriminal and advanced persistent threat (APT) actors who frequently use LNK files.
Emotet, IcedID, Qakbot, and Bumblebee are some of the famous malware families disseminated using these new techniques.
According to Proofpoint, the usage of HTML attachments employing the HTML smuggling approach to put a botnet on the host system has also increased significantly. Their distribution volumes, however, are still quite limited.
Finally, with a restricted range of potential threats to assess, email security systems are now more likely to detect hazardous files.