August 3, 2022

Attackers are exploring tactics to bypass Microsoft’s defense strategy, one of which involves turning to file types as vessels for malware.

So far, attackers have relied on macros-enabled attachments, but the number of attackers using this tactic dropped after Microsoft began blocking XL4 macros by default for Excel users. Microsoft also blocked VBA macros by default across the Office suite.

To get around macros blocking, attackers are increasingly using file formats such as ISO (.iso), RAR (.rar), ZIP (.zip), and IMG (.img) files to send macro-enabled documents.

According to Proofpoint researchers since blocking macros by default, malicious campaigns using container files such as ISO, RAR and LNK attachments have now increased by 175%.

The new tactic attempts to bypass Microsoft’s method of blocking VBA macros based on a Mark of the Web (MOTW) attribute, which shows whether a file comes from the internet known as the Zone.Identifier.

“Microsoft applications add this to some documents when they are downloaded from the web. However, MOTW can be bypassed by using container file formats,” the Proofpoint researchers wrote.

Attackers can use the file formats listed above to send macro-enabled documents because the documents within those files, such as a macro-enabled spreadsheet, do not have a MOTW attribute even if the files have it.

The sources for this piece include an article in ThreatPost.