In the last month, Microsoft Office documents laden with malicious macros account have remained the malware loader-du-jour. Cofense IntelligenceTM has found they account for 45% of all delivery mechanisms analyzed.

Chart 1 details that breakdown, showing the overwhelming propensity for threat actors to leverage tried and tested delivery mechanisms. But being easily accessible and having an extremely low barrier-to-entry doesn’t mean that macros are used exclusively by immature or low-impact threat actors. During analysis, Cofense Intelligence identified the malware being delivered via macros to be amongst the most malignant of today’s threat landscape, including: Geodo, Chanitor, AZORult, and GandCrab (see Chart 2 further down for the full list).

Chart 1: Malware loaders analyzed by volume during 08/01/18 – 09/01/18

The macro is still the preferred email attachment method of delivering a malicious payload to the endpoint because it is either enabled on a machine, or is easily allowed by a single mouse click. This makes it almost trivial to launch the first stage of an infection chain. Macros, used as such, are embedded Visual Basic scripts typically used to facilitate either the download or direct execution of further payloads.

Depending on a business’s IT environment, the Microsoft Office Macro feature could be enabled by default. In such scenarios, a user may have no other indication that anything is amiss upon opening the document. Even if an organization has appropriate policies in place, most can be dismissed or bypassed with a single click. Figure 1 shows just such a warning that is dismissible with a single click.

Figure 1: A typical security warning presented to users opening a document containing macros.

Macros tend to be used as the first stage in an infection chain, most often downloading a payload from a remote site. Chart 2 details the breakdown of payloads obtained either directly by a macro or retrieved in a chain involving that macro.

As shown above, most payloads involved in these campaigns were samples of the Geodo malware. There were two different types of ransomware delivered as well. The range of different types of malware, from simple bots to ransomware, shows that mature and amateur operators alike are using this vehicle to get the payload to the endpoint.

What You Can Do

Abuse of this feature can be easily mitigated by disabling macros enterprise-wide. However, macros do have legitimate and valuable usage, upon which many businesses rely. To help reduce the attack surface introduced by this feature, businesses have some options. A blanket policy of blocking documents at the gateway is, naturally, the most effective. However, this scorched earth approach is unlikely to be tolerable to most businesses.

A more effective approach is a combination of tailored policies – such as blocking or grey-listing documents coming from unknown or undesirable senders – as well as security solutions and robust user education. Such an approach gets the best results in the inevitable trade-off between security and usability.

Speaking of education, Cofense PhishMeTM our security awareness and phishing simulation solution, not only offers Microsoft macro templates but keeps accurate track if opened by a user. For a solution overview, watch this short video.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.