It’s a well-known scenario: a company employee receives an email, with an Excel file attached. The subject of the discussion varies: human resources, financial projections, exchanges of customer files …

Convinced of the credibility of the message, the recipient downloads the document and then opens it to see its content. The trap then closes on him. The Excel file is a trap that serves as a launching pad for the deployment of malware [logiciel malveillant, ndlr]. The latter will cause damage ranging from the extraction of confidential data to the entire paralysis of the computer system.

Macros, number 1 threats by email

In this scenario, cybercriminals will have exploited “macros”, an advanced feature of popular office software. Concretely, they write complex commands – composed of text and numbers – in the cells of the Excel spreadsheet. Read by the software, these commands will instruct the Windows system to download and install malware. In normal use, macros can automate all kinds of tasks: creating reports, complex calculations, importing databases … And it is for this reason that they have such power of action. .

Because macros are an entry point for threats, many organizations disable them by default on their computer systems. Thus, even if one of their employees downloads a malicious Excel file, the malware will not be automatically downloaded: the user will have to press a “allow macros” button, manually.

This first level of protection avoids catastrophes, but it remains permissive. ” If a hacker manages to contextualize his email in a convincing way, in relation to the news or the activity of the company, he can make his target believe that he needs to activate the macros », Recalls Adrien Gendre, chief product officer of Vade (formerly Vade Secure), a French company specializing in email protection. In other words, disabling macros reduces the chances of success for hackers, but they only need to be more persuasive to succeed in their attack.

For our interlocutor, if macro attacks have existed for a long time, the ” the boom in the use of macros began in 2014, with ransomware “. Result, today, the ” very large majority »Malware propagated by email and detected by antiviruses, goes through macros in Excel, PowerPoint, Word, or even PDF files – types of document that companies cannot do without, and that defenders cannot therefore ban .

Behind these attacks are large cybercriminal organizations (with financial objectives) or groups in the pay of states (with strategic objectives).

“We are dealing with real businesses, very structured, capable of segmenting their value chain: the most technical people build the base to launch the attack, then local teams will add specific details to the campaign. », Observes Adrien Gendre.

Microsoft forced to intervene

Over the past two years, a particular type of macro attack has experienced exceptional growth. Cybercriminals are (re) interested in an old Excel macro system: XLM, created in 1992 but still functional. One of the reasons for this sudden interest? XLM macros were not scanned by the scanning tool launched by Microsoft in 2018, called Antimalware Scan Interface (AMSI), unlike the most recent VBA macros. Result: in 2020, close to a dozen cybersecurity companies in turn published reports to describe several waves of attacks that abused the lack of protection. The researchers agreed: not only was the mode of attack coming back into fashion, but it was also becoming more and more complex.

To counter this spike, Microsoft had to integrate XLM macros into AMSI in March 2021, before announcing in early October that they would be disabled by default on all versions of Office 365 – that is to say for its paid subscribers – by the end of the year. These actions may not greatly increase user security, but they are symbolic: Microsoft recognizes, and partially supports, the use of macros for malicious purposes. Even if cybersecurity observers always expect more from the publisher, this is a first step.





Detect suspicious behavior

In detail, Microsoft’s ASMI supports the work of antiviruses, starting with Defender, that of Microsoft itself. Concretely, it will better expose the composition of the files, and that of the macros. This is a welcome help, because finding attacks is not easy for antiviruses. ” Keep in mind that there is no threat directly in macros », Recalls Adrien Gendre. The document itself does not contain malware, it only kicks off their installation.

Faced with detections, cybercriminals are constantly redoubling their creativity to hide – or ” obfuscate In the jargon of malicious macros (among other evasion methods). Instead of just writing the commands that allow you to launch the attack, they will wrap them in a whole text whose sole purpose is to lose the detection algorithms. They are creating what Microsoft calls a “ armor », With the aim of parasitizing antiviruses. And it is this armor that ASMI must raise, to ” expose malicious code to enhanced verification levels. “

On the side of Vade, ” we do not try to detect the threat, but a particular behavior “. Concretely, the tools of the French company will try to evaluate obfuscation behaviors (size of the macro, formatting of variables …) rather than the malware itself. ” If the way in which the code is constituted does not seem legitimate, we block, even though we do not know that it is precisely the threat », Says Adrien Gendre.

This increasingly popular defense philosophy avoids running into a cat-and-mouse game with hackers, capable of creating thousands of unique versions of their malicious macros. Historically, antiviruses have detected threats by their signature – a very precise fingerprint, defined from their code. If the malware changes even slightly in structure, its signature will also change. By tackling behavior rather than thousands of signatures, defenders are trying to regain the initiative. At least, until cybercriminals innovate again.