Cyber criminals have been forced to evolve their tactics since Microsoft began blocking Office macros by default. For years, malicious Microsoft Office macros were a favorite tool for hackers to gain access to their targets’ computers. However, in 2022, Microsoft started blocking macros on files downloaded from the internet. Since then, cyber criminals have been trying out new ways to deliver malware.
Although hackers are having to be more creative in how they carry out their attacks, nothing has so far had the “same type of durability as the macro-enabled attachment,” says Selena Larson, author of a new report on the trend. Some of the new tactics used by hackers include container files, HTML smuggling, and PDFs. In recent months, some cyber criminals have also started using Microsoft’s note-taking app, OneNote, to deliver malware.
These new methods are not as effective as the macro-enabled attachment, and cyber defenders are managing to stay on top of them. However, because threat actors are trying different ways to bypass existing detections, cybersecurity professionals need to be proactive in coming up with new detections and rules.
Security training, too, needs to be updated to reflect the latest trends. For example, users need to be made aware of the new PDF methods used by hackers. Larson advises, “Just being, like, ‘Hey, look out for this type of thing!'”
Organizations also need to keep up-to-date with the latest trends. Rarely has such a simple policy change made such a big difference in the cybercrime landscape. In 2021, before the policy change, researchers from Proofpoint tracked over a thousand malicious campaigns using macros. In 2022, macro-enabled attacks plummeted by 66%. Thus far in 2023, macros have almost disappeared in cyberattacks.
The cyber defense industry has been able to cope with the new tactics used by hackers so far. However, cyber criminals will continue to evolve their tactics and cyber defenders will need to be equally fast in keeping up. While nothing has stuck like the macro-enabled attachment, Selena Larson warns that cyber criminals are trying out many different attack chains, and “the speed and the rate and scope of the changes that they’re making stands out.”