In early February of 2022, Microsoft announced that Internet Macros would be blocked by default to improve the security of Microsoft Office. According to their blog published in late Feb 2023, this change began rolling out in some update channels in April 2022. Other channels followed in July and October 2022, with the final rollout in January 2023.[1]
Office uses a specific algorithm to determine whether to run macros in files from the Internet. The process starts by checking the file attribute. If it has a Mark of the Web (MOTW) attribute, it verifies whether it is from a trusted location and performs other processes, and based on those outcomes, it decides whether to block or run the macro.
Since that announcement, researchers have observed that cyber threat actors have begun to test and adopt new infection vectors to replace Office macros. Several methods include using .hta, .lnk, and .chm files, targeting Office vulnerabilities (Equation Editor and Follina are the most common), and we have seen the use of xll files over the past year by cyber threat actors to distribute their malicious payloads.
Link to full report: IR-23-105-002_WindowsUpDate.pdf
[1] https://www.fortinet.com/blog/threat-research/are-internet-macros-dead-or-alive/
Comments