What Are Malicious Macros?
You may already know that a macro basically is a written sequence that can imitate your keystrokes and your mouse commands, to automatically repeat some (defined) tasks in applications.
It is quite common to use macros in many MS-Office products, Word, Excel etc to automate processes and data flows. When you create a macro it is embedded within the code of those files. It enables you to create short-cuts for specific tasks. For example
They can sort worksheet alphabetically.
They can merge or unmerge cells.
They can hide or unhide all (or selected) rows/columns.
What happens next is that- when you open that file, you or any other user for that matter, will be prompted by a notification, asking you if you would like to enable the macro that is embedded in that file.
When you create a macro, you can use a signed certificate on macro to confirm that it were you or your company who is the original & legitimate author of that macro. This is a great way for organisations to control & verify what macros are authorized for use in those applications.
Creating or writing macros is not a rocket-science. You can write macros, network administrators can write macros, your service-providers can write macros.
So can hackers and most threat-actors. Here is where danger lies...
They can create malicious macros and include them in documents so that those can be transmitted through your organization. These malicious macros can compromise applications and can badly affect systems throughout your network, if not contained early.
Day by day the techniques of the threat actors are evolving so that they can evade detection to perform a successful attack. The new techniques that are being utilized by the threat actors are using macro obfuscation, DDE, living off the land tools (LOLBAS), and even using legacy-supported XLS formats to execute all their operations.
-
A threat actor may send you an email with an attachment containing malicious macros. If your organization uses macros from internal and external sources, your systems and information may be at risk to some of the following threats.
The entire sinister design comes in to action the moment you click on 'Enable' macro button.
1. MACRO VIRUSES
Malicious code that is disguised as a legitimate macro and embedded in an application. Macro viruses can automatically run when documents are open and infect your files. Infected files can damage the contents of documents and spread to other software and files that it comes in contact with (e.g. disk files, network files, email attachments, etc) or infect your entire system.
2. UNAUTHORIZED ACCESS
Threat actors use malicious macros to bypass security controls (e.g. allow list) and gain access to your systems and network. These macros can be used to execute malicious content and have ability to steal or destroy your company's sensitive information.
Phishing attempts often use malicious macros in the attached files of their messages, disguised as legitimate attachments. The email text may request opening from the recipient as an attachment, and run the macros that it contains to view sensitive information. When the macros run, malware coded into the VBA will begin to infect all files that are opened using Microsoft Office. The malware may be constructed, and then relays the data in a file back to the hackers as worth their time, or it may render your file useless.
3. INSIDER THREATS
Anyone who has knowledge of or access to your infrastructure and information can cause harm, either knowingly or accidentally.
Regarding the use of malicious macros, insider threats can exist if someone has the ability to perform the following functions:
-
Create macros (e.g. copying code from unverified external sources), including macros containing sensitive information (e.g. passwords).
-
Spread macros throughout the organization (e.g. sharing documents).
-
Forward documents from external sources (e.g. not verified by your organizations policies).
-
Spread documents with malicious macros through cloud components.
-
What Can You Do To Fight The Menace?-
Disable default macros that are not required.
-
Make sure macros are disabled in your Microsoft Office applications. In enterprises, IT admins set the default setting for macros.
-
Enforce the principle of least privilege to assign administrative privileges and account access.
-
Ensure users cannot re-enable disabled macros.
-
Use organization-developed or signed macros that are verified by technical authorities.
-
Ensure macros cannot contain any sensitive information (e.g. personal credentials).
-
Audit actions made by users developing macros in the organization (e.g. administrative changes).
-
Train your organization’s users and provide guidance on macro security to support awareness.
-
Update and patch applications and systems frequently.
-
Enterprises can prevent macro malware from running executable content using ASR rules.
Remember:
You must disable macros from external sources. Although there are trusted ways of using macros and protecting your systems from malicious macros, there are still risks. Macros from external sources open up your organization to unintended consequences.
-
Kindly write 
your comment on the posts or topics, because when you do that you help me greatly in 
designing new quality article/post on cybersecurity.
your comment on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
30,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM