When analysing the delivery mechanisms used by malware in August 2018, Cofense Intelligence found that 45% of malware were sent via Microsoft Office macros. Malware and attacks tend to use Microsoft Office macros as the first stage of the infection chain and as the primary means of delivering malicious programs in about 45% of security incidents.
Office macros are one of the best tools used by attackers to deliver malware because Office macros are enabled by default on most computers running Microsoft Office, and in organisations with stricter security policies and features disabled.
Office macros have been used to provide anything from insignificant robots to very dangerous ransomware payloads. With the help of specially crafted Visual Basic scripts, Office macros can be easily converted into malicious tools that allow hacked computers to The remote server downloads or runs the payload.
Although using macros as email attachments to infect computers may seem like a way for low-level threats to be used, Cofense Intelligence found that they are also used to provide complex and hazardous ones such as Geodo, Chanitor, AZORult and GandCrab. According to Cofense Intelligence’s report, Office macros have been detected from simple robots to highly dangerous ransomware payloads, which could weaken the entire corporate network.
As a mitigation measure, anti-phishing solution providers recommend disabling macros in an enterprise environment by whitelisting the sources that employees can use to receive Office documents or using anti-malware software that detects and blocks malicious macro components.