Macro-based malware is back in business – 6 tips how to keep them out

Observations from F-Secure Labs

Author: F-Secure Business Security Insider
Date: 25.05.2015
Read Time: 4 Minutes

During the past several months, we have detected various groups of attackers distributing malware through Microsoft Office documents containing malicious macros, reviving a decade old technique that hasn’t seen much use since its golden age in the 90’s.

For those who don’t know, macros are basically scripts embedded in files that are used to automate tasks in different applications, such as Microsoft Word or Excel, but which can also be used for malicious actions like installing malware.

Back in the day, attackers stopped using macro-based malware mainly due to a security policy introduced in Office XP (2001), which asked for user permission before running unsigned macros that were embedded in files. This made the attacks relatively hard to execute, and consequently, most attackers dropped macros from their methods in favor of other malware distribution methods.

Yet, 15 years later, it seems that macro-based malware is resurfacing.


The revival of macro-based malware comes in conjunction with a well know tool: social engineering. As it turns out, it’s 2015 and people will still open things we knew were bad back in the ’90s. For those handling IT matters for a company, this isn’t really a surprise.

Malicious files containing macro-malware, and the emails used to distribute them, are intentionally crafted to resonate with the reader. With business related topic such as sales invoices, tax notices and CV’s, the readers can be easily tricked in to opening the attachment without thinking twice.

The victim is made to think that in order to actually access the data, he or she has to first enable the macro. And in fact, many of the documents include step-by-step instructions on how the victim can enable the untrusted macros The right combination of instructions, relevant content & file names are often enough to convince the victim to enable the macro, which allows the malware to run.

On the technical side of the game, today’s macro attacks have new tools that they can use for leverage, as email and spam protection can usually handle such attacks. For example, today’s macro-malware attacks can use zipped file attachments and cloud-based storage services (such as Dropbox) in an attempt to evade scanners. For the more technical people out there, it’s also worth noting that a number of these recent attacks have attempted to execute macros by leveraging Powershell, Microsoft’s task-based command-line shell and scripting language.


The macro itself, however, is often simply a downloader that serves as a gateway for installing a backdoor into your systems.


1) Protect your email 
Protection against macro based attacks begins first and foremost with strong email security, as most of the attachments, files and links are delivered through email. All standard best practices apply, but pay more attention to capabilities such as attachment stripping and scanning, in addition to link reputation checks and security.

2) Disable Macros (where you can)
At the end of the day, there is rarely a situation where you can block all macros, but you can set group-policies to allow their usage to only those who need them. For example, the majority of your employees will never have a reason to run macros in word.

3) Protect your end-points with modern technologies
In those cases where you cannot just block all macros (and if you can, just do it for added protection), you should ensure that your security solution has heuristic, behavior and reputation based security capabilities. This will ensure that any malicious file that have been previously seen anywhere in the world are automatically blocked, and those nasty zero-day malwares will get blocked by analyzing their execution and behavior.

4) Use up-to-date Office software
Most macro-malware is in a .doc file format, which is mostly seen in Microsoft Office 2007 and older versions. Consequently, it is a good idea to use the latest Office software, which have better safeguards against these kinds of attacks. For example, they contain extra safeguards against attempts to disguise the “.docm” and “.xslm” extensions.

5) Employee education: Don’t open suspicious emails and files!
Standard email security best practices apply: recommend that your users delete suspicious emails and never open attachments from untrusted sources – especially if they don’t know why they have received it.

6) Employee education: Don’t run macros on your computer!
Unlike traditional exploit kits, macro-based threats require user consent to run. This means that at the end of the day, telling your employees to not run macros can make the difference between getting infected and having a close call.

In fact, after reading this article, why don’t you send your employees a reminder email about it?


In addition to the safeguards mentioned above, our Security Advisor, Sean Sullivan, recommends companies invest in email productivity training – people are less likely to fall for traps when they properly manage their email.

“By doing this, companies are not ‘only’ putting money into security awareness, but rather, they get tangible benefits out of it in addition to better security.”

One thought on “Macro-based malware is back in business – 6 tips how to keep them out

  1. Very interesting article! I readily relate to the macros and bat files, and the ease of creating them. Once you get the C: …all bets are basically off! Also, accessing the shell GUI can make things happen pretty easily. I think you make a great point here with regard to the training!
    Thank You,
    Doug Dawson

    Liked by 1 person

Post Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s