Microsoft’s Macro Reversal Invites a Resurgence of Office Malware

“Then leaf subsides to leaf.
So Eden sank to grief,
So dawn goes down to day.
Nothing gold can stay.”
-Robert Frost

In January 2022, Microsoft announced that Excel 4.0 macros would be restricted by default, to protect users from malicious macros. In February 2022, Microsoft announced that VBA macros would also be blocked for files downloaded from the internet. Cybersecurity professionals and enthusiasts rejoiced at the news! Malicious Office documents were running rampant. Attackers abused Microsoft Office macros to deliver BazarLoader and Trickbot, and remote access trojans like AveMaria and AgentTesla. We at Netskope Threat Labs joined in the celebration. We watched as Emotet started to shift tactics. We scratched our heads when we saw Emotet Excel documents continue to circulate.

Most importantly, we watched as the percentage of Office malware detected by the Netskope Security Cloud platform steadily decreased. Since February, Office documents have accounted for less than 15% of all malware, spending most of the last five months below 10%. Office documents accounted for 35% of all malware at this time one year ago, and more than 25% of malware for most of the second half of 2021.

Then, on July 7, 2022, Microsoft quietly reversed course, re-enabling VBA macros for files downloaded from the internet. We expect that attackers will pick up right where they left off, and we will soon see a spike in malicious Office documents. We strongly encourage everyone to override the defaults and disable VBA macros to help protect against malicious macros.

Protection

Netskope provides multiple layers of protection against malicious Office documents, including signatures, advanced heuristics, machine learning, and sandboxing.