Microsoft released Excel 4.0 for Windows 3.0 and 3.1 in 1992 and many companies still use this functionality in legacy operations. The issue is that bad actors have started using Excel sheets and macros as a new way to deliver malware. Tal Leibovich, head of threat research at Deep Instinct, which is a cybersecurity company specializing in endpoint protection and using deep learning to stop cyberattacks, explained that this legacy scripting language has been the reason for a recent rise in malware delivery. Security organizations first noticed a spike in this kind of attack in March 2020 when Microsoft released a new runtime defense against Excel 4.0 macro malware.
Since then, there has been a substantial increase over the last two years of hackers using Excel 4.0 Macros in attacks. Hackers are using creative tactics to build new attack routes, as well as Excel commands and API calls to Windows in the attacks. A lot of the attackers are using a short command in one place and another in the Excel sheet, and by jumping between different cells, they can create malware that is undetected. The problem is that this legitimate capability in Excel is not always malicious, and many organizations have legacy files that use macros. The challenge is creating a good detection engine that can spot actual threats without generating false positives and noise.
Macro worms and viruses primarily use Visual Basic for Applications programming in Microsoft Macros and Microsoft Office which are highly and easily targeted. The way to protect against this kind of malware is to block all inbound macro-enabled and macro-embedded files from email or file transfer pathways. Any O365 organization can set a group policy to ‘disable all macros,’ with or without notification to the user in case a file slipped through the defenses, or someone was allowed to run a file from an external drive or media. Most endpoint antivirus software can be configured to block Macros.
If you’re organization must use macro functionality to function, it’s suggested to run all functionality and users in virtual desktop environments to limit any spread or damage from macro malware that persists. User education about cybersecurity only works when it’s practiced and measured repeatedly and it’s important to establish real consequences when people break the rules. There are two specific tactics that are effective in influencing user behavior. The first involves adding specific language around responsible cybersecurity behavior into performance reviews. The other tactic is giving each leader a score on a monthly or quarterly basis based on the number of user-related security errors that have or have not occurred on their watch.