Macros: To Block or Not to Block?
Should you block or disable macros? This debate recently became a hot cybersecurity topic again after Microsoft announced earlier this year that it would begin disabling certain macros, by default, because threat actors were using them in attacks.
Then, the company rolled back the decision to implement the change with little notice, a move it said was “based on feedback.” The reversal generated plenty of “negative excitement” among those charged with maintaining the IT security of their organizations.
Now the company is back where it started, rolling out products with macros disabled as the default. The flip-flopping over macros blocking from the world’s premier provider of office productivity tools still has many security practitioners scratching their heads over the right approach for their organizations. This provides a good opportunity to explore some background about macros and the security concerns that surround them.
Use Cases for Macros
Macros in office productivity applications were designed as tools that allow you to automate tasks and add functionality to forms, reports, and controls. They help speed up workflow by automating repetitive tasks in products such as Microsoft® Word, Excel®, and Access®. Using macros for these repetitive tasks can often help eliminate human errors, as well — in data entry, for example.
With today’s emphasis on increasing employee productivity, everything should (in theory at least) be constantly getting better, smarter, faster, and cheaper. Macros can be a great tool for enabling businesses to achieve those goals.
Cybersecurity Risks of Macros
Macros are typically written in Visual Basic Script (VBScript). As with all code and code assemblies, there are those who can maximize this code for tremendous benefit — and those who (not surprisingly) find ways to abuse the code for malicious purposes.
The popularity of Microsoft® Office products among businesses provides a fertile ecosystem for malicious actors (both internal and external) to hide their Visual Basic Application (VBA) macros.
Experts believe macro malware has been around since 1995, with the first real case of malicious use occurring in 1999 with “Melissa,” a macro used in Word documents that provided links to pornographic websites. Although it didn’t do anything harmful to the systems themselves, it did clog email servers (which indicates a different type of problem). Experts estimated it cost U.S. companies $80 million to clean infected systems.
Through a period of short peaks and long valleys, macro-related threats came and went until 2014, when the information-grabbing malware ZeuS was discovered in macro-enabled Word files. Since then, cases of macro-based malware have grown exponentially, and these handy software shortcuts continue to be used as vectors to infect systems via Word or Excel files. These files often come disguised as invoices, receipts, legal documents, and other files that look legitimate to an unwitting victim.
However, a macro can also be written specifically as a virus, worm, or malicious script that causes a machine to call out to an attacker’s command-and-control (C2) server to download additional malicious payloads, upload sensitive data, or carry out other nefarious acts.
The bottom line is that while macros can be used effectively by an organization’s users to improve their productivity, the same VBA language can also be used to create malware.
If macros are not disabled by default, the attacker’s job is made easy. An unsuspecting victim can invite malware onto their system just by opening a file with a malicious macro embedded in it. But even when macros are disabled by default, just tricking a user into enabling macros — often by clicking a button in a pop-up window to view the lure document — can open up a direct connection that attackers can use for additional exploitation.
How to Help People Defend Against Malicious Macros
There are several ways to protect your enterprise against malicious macros.
First and foremost, educate your users on social engineering techniques and phishing emails, and how to look out for unsolicited emails with suspicious attachments. End users must be made aware that even though they may accidentally open an email, and click on an attached file, if they see the “Enable Macros” dialogue box, it’s time to push away from the desk like they just contracted the plague, and think long and hard about what they should do next.
Part of that training should teach users a simple concept: If you did not expect to receive an invoice, notice, bill, or other attachment, then you shouldn’t open it. We often forget the stress, pressure, and time constraints present in today’s work, but threat actors don’t. The more harried and distracted we are, the better they like it.
Often, the social engineering and crafting of such emails is so good, that even people who take the time to carefully consider what they’re clicking on can be duped. In fact, a recent FBI alert estimates that business email compromise (BEC) scams have cost US companies over $43 billion to date. User training should emphasize that it is okay to slow down, ask for a second opinion, “phone a friend,” or do a little background checking when handling email on a corporate device, because your laptop or PC is essentially a gatekeeper to your entire organization.
An additional aspect of handling email concerns employees checking personal webmail at work through a web browser. Checking their Port 443, HTTPS secured webmail session only means the phishing email and information transaction between the corporate device and their mail server has been encrypted. If they click on a poisoned attachment, it’s still opening in the memory (RAM) of their corporate device, and potentially providing threat actors with illicit access to the corporate network.
Even though phishing and emailing attachments are a primary method that cybercriminals use to distribute compromised documents, we must not forget the same macro-infected files may be handed to us on thumb drives or external storage devices, or downloaded from seemingly safe and trusted websites, like in the case of SEO poisoning. Everything introduced to the corporate network should be treated as potentially toxic until it is scanned for malware and declared safe.
Using Technology to Block Weaponized Macros
One option for blocking malicious macros is disabling them by default in a corporate Office 365® environment via your Group Policy Objects (GPO) trust center. While an employee may still open an infected file, disabling macros by default forces them to make a conscious choice to enable them. When bolstered with training, it may give them the pause they need to critically consider whether they have a valid reason for doing so.
Another way to protect your organization is to look at your other security tools and their capabilities. For example, CylancePROTECT® is an AI-based endpoint protection platform (EPP) that offers a feature called Script Control. Script Control allows administrators to enable appropriate scripts on appropriate systems, while disabling all other scripts (unsafe/unauthorized) on the rest of the enterprise. You might think of it in terms of script “whitelisting” on a system-by-system basis. This capability also includes the ability to provide an approved location where scripts can be run without intervention. This allows the use of authorized IT automation and software installation/upgrade scripts while still blocking any unauthorized or potentially harmful scripts.
In addition, CylanceOPTICS®, the BlackBerry® endpoint detection and response (EDR) platform, uses its Context Analysis Engine to block scripts that behave in unexpected or potentially malicious ways — such as downloading files and storing them in non-approved directories — or PowerShell scripts that launch encoded commands, which can hide malicious intent.
The Bottom Line
Macros can be valuable for boosting productivity — for both legitimate business users and malicious threat actors. By combining user training with advanced EPP and EDR technologies, your organization can benefit from the legitimate uses of macros, while blocking those that can put your organization at risk.