October 25, 2020

Microsoft provides malicious macro scanning and detection for Microsoft Office 365

2 min read

Many business people use the Office VBA because of its powerful function, but the macro is robust and there are also security risks such as executing malicious code.

In the past five years, hackers have launched a lot of attacks through Office VBA. The main reason is that ordinary users are not clear about macros, so they are easy to relax their vigilance.

For example, the most common means of deploying attacks through Office VBA is to send spam messages. When users open a specific document, a macro-enabled notification pops up.

A macro module that carries the malicious code at the moment of activation will execute malicious code, and then directly obtain user operating system management rights in conjunction with other vulnerabilities.


Microsoft’s macro security scanning service:

Macro security scanning is mainly implemented by relying on the anti-malware scanning interface. It is called Windows Defender to monitor macro security online.

Macro modules that are not recognised by Windows Defender will also be uploaded to the cloud, and the cloud machine will continue to judge whether the macro module is safe.

Even malicious macro modules that use obfuscation techniques can be identified to improve the security of files that carry malicious macros.


Record behaviour and active triggering:

Most malicious macros use obfuscation techniques to avoid routine detection, so this time Microsoft supports the detection of obfuscated macro module behaviour explicitly.

According to the preset process, the system will first record all the behaviours of the macro module, then trigger the action of the macro module, and finally, intercept if it is malicious.

Regarding cloud, Microsoft also integrates WindowsDefender APT for cloud recognition, which can significantly improve the efficiency of judging malicious macros.


First to launch for Microsoft Office 365:

This feature is currently available for Microsoft Office 365 subscription users, but it is unclear whether it will support other versions.

The user does not need to do anything. By default, this feature is supported as long as the upgrade to the latest version is enabled, and scanning is triggered when the document carrying the macro module is activated.

The caveat is that although Microsoft provides protection, users should be careful about macros. Most of the documents that carry macros downloaded from the Internet are malicious macros.

For ordinary users, if you can’t use the macro module, you can close it directly, avoiding the accidental operation of trapping the angler’s trap at some time.

Via: Microsoft