By Security Analyst/Ethical Hacker, Dillon Rangel
In June 2022, Microsoft made significant changes to how Word macros are handled, requiring extensive user interaction before enabling them. This effectively killed the use of malicious macros as a common attacker tactic. As a red teamer who has a soft spot in his heart for Word macros as a flexible part of an engagement, I'm happy this threat will have to get signicantly more creative, and I'm also sad to see it go. As is always the case with threat actors, tactics evolve. There has been a shift in attacker tactics towards credential stealing methods over traditional malware deployment via macros. Attackers are adapting to the increased security measures by focusing on social engineering techniques to trick users into revealing their credentials through phishing emails, fake login pages, and other deceptive means.
This will be a short post but I want to sign off with a personal story about how fun macros can be. I was on an engagement to test the effectiveness of an SAT (KnowBe4) program and the user's had been sufficiently trained on identifying links in emails. I specifically wanted to avoid sending links because that is what people were primed to be on the lookout for. I settled on Word documents with macros but there was an email filter in place to block and review non .docx extensions. By design, a .docx cannot contain a macro. This does not mean that they're safe because they're still capable of executing a macro. So I bypassed this email filter by hosting a .dotm in the cloud and loading it on demand in the .docx. A reverse engineer could strip the OLE down bit by bit and find no macro because the .docx didn't contain one. It downloaded a macro enabled template upon being opened. My favorite part of this attack was that the most successful documents had a pretext of offering free doughnuts.
It's been a good many years and it's definitely time to say goodbye to this technique. A long overdue blog post and many fond memories. We look forward to developing new creative ways to bypass email filters, demonstrate value with proof of concept social engineering campaigns, and most of all, using this knowledge to improve organization's cyber posture in this advanced cyber threat landscape.