Home » Promo » Cybersecurity » “Consider the Macro Perspective” — The Persistence of Macro-based Malware

“Consider the Macro Perspective” — The Persistence of Macro-based Malware

by Engineering @ SquareX on July 10, 2024

“Consider the Macro Perspective” — The Persistence of Macro-based Malware

Use SquareX to put an end to their three-decade streak

Office documents, encompassing a range of formats such as Word, Excel, and PowerPoint, have become deeply entrenched in the daily operations of countless organisations worldwide.

One can argue that Microsoft was ahead of its time in innovating a worktool that became indispensable in generating reports, presentation decks, contract documents, to name a few.

To do this with utmost convenience, macros were introduced with the release of Microsoft Excel 4.0 in 1992, an executable code component that help in automating tasks within documents. This version of Excel included the ability to record and run macros using a macro programming language called Excel 4.0 Macro Language (XLM). Later, with the release of Microsoft Office 97, Visual Basic for Applications (VBA) was introduced, which provided a more robust and versatile way to create and manage macros across various Office applications such as Word, Excel, and PowerPoint. VBA has since become the standard macro language for Microsoft Office documents, greatly enhancing the automation and customization capabilities of these tools.

Macros scripts are designed to simplify repetitive tasks, allowing users to automate processes such as formatting documents, generating reports, and syncing data. For example, in Excel, a macro might be used to automate complex calculations across multiple spreadsheets, saving time and effort for users.

With great power comes great responsibility — one that Microsoft doesn’t seem to have quite figured out yet. Since the introduction of macros, countless macro-based malware has been circulated, till date. This article recounting macro-based malware from 1995–2015 is a refreshing read.

20 Years of Macro Malware: From Harmless Concept to Targeted Attacks

Three decades since, this year, European government agencies were breached when Russian hackers sent phishing emails with Word documents that had macro code embedded with a backdoor for Lunar malware.

Russian hackers use new Lunar malware to breach a European govt's agencies

Despite the fixes Microsoft has rolled out over the years, this attack type is still popular. Just due to the sheer volume of people using these applications daily, macro-based malware slips through many common detection engines if they are very new.

So, how can SquareX protect organisations from this gift that keeps on giving?

If you have been following us since we launched the free Chrome Extension on the web store last year you tried our ‘Malicious Document Detector’ feature. In this, we accurately detect the presence of macros in Office documents and look through the file structure to detect tampering, and the code to detect risky function calls. SquareX can even detect AV evasion methods like Macro Purging and Stomping!

Similarly, with SquareX Enterprise, organisations can create a policy to block or isolate files if VBA or XLM macros are present. Alternatively, admins can also create policies to block only if suspicious or malicious macros is detected, which SquareX’s file scanner detects.

Employees view when downloading a macro-enabled document:

So as to not hinder employee productivity, SquareX automatically provides options to view the document safely. If employee selects ‘Open in Safe File Viewer’ option, he is presented with the choice to open the file in an isolated cloud container — SquareX’s disposable file viewer or with Office 365 Online.

Alternative, employees can also download macro-free versions of the document or PDFs.

If your enterprise is still heavily reliant on Office documents for day to day work, consider adopting SquareX to ensure employees don’t fall prey to malware embedded in Office Documents.

Email us at [email protected] for a demo!