The Malicious Macros Problem May Be Solved SoonUsing Containers, Malicious Documents Will Be Isolated in Office 365
A handful of common lures still have astounding success in compromising computers: phishing emails, malicious links and the king of them all: the malicious Microsoft Office document.
For years, bogus Microsoft documents combined with precise social engineering have tricked many into unwittingly giving attackers a foothold by using malicious invoices, shipping notices or documents they believed were legitimate.
The source of the problems are usually macros, the powerful code snippets written in Visual Basic that can automate repetitive tasks. Although macro-based attacks have persisted, attackers have increasingly embraced the attack vector as a reliable fallback, especially as operating system and browser vulnerabilities become harder to find. Macro-based attacks have been key in spreading ransomware.
Over the last few weeks, Microsoft has seen about 400,000 attempted macro-rooted computer compromises detected by its Defender security software, David Weston, partner director of OS security at Microsoft, tells Information Security Media Group.
Abstinence from using macros is the most sure-fire way to avoid trouble. But their utility has often caused organizations to leave the door open. The Australian Cyber Security Center published a chart showing the risks of different types of macro choices.
Macros have long been enabled by default. But two years ago, FireEye’s Mandiant investigations unit wrote about attackers actually calling victims to get them to enable macros. It worked, sometimes (see: Hello! Can You Please Enable Macros?).
Weston says there’s a “tradeoff between security and productivity. Users are eager to get their work done which can sometimes lead to working around security.”
Microsoft would like to block the risk completely and has decided to bring Application Guard to Office 365. It’s the same security feature that’s in the Edge browser in Windows 10, which allows administrators to define trusted websites. Within Edge, untrusted websites are run in a Hyper-V container, which isolates them from the host operating system and hardware. If the website is malicious, it can’t get outside the container to do damage.
A similar type of isolation will be wrapped into Office 365, writes Rob Lefferts, vice president of Microsoft Security, in a blog post. The announcement was made at Microsoft’s Ignite Conference in Orlando, Florida.
“Secured-core PCs deliver on the zero-trust model, and we want to further build on those concepts of isolation and minimizing trust,” Lefferts writes.
Microsoft is offering a limited preview of Application Guard for the ProPlus version of Office 365.
“You will be able to open an untrusted Word, Excel, or PowerPoint file in a virtualized container,” Lefferts writes. “View, print, edit and save changes to untrusted Office documents - all while benefiting from that same hardware-level security. If the untrusted file is malicious, the attack is contained and the host machine untouched. A new container is created every time you log in, providing a clean start as well as peace of mind.”
If someone wants to designate a document as trusted that had been considered untrusted, it will be flicked to Microsoft’s Defender ATP threat cloud to ensure it is not malicious. “This integration with Microsoft Defender ATP provides admins with advanced visibility and response capabilities - providing alerts, logs, confirmation the attack was contained, and visibility into similar threats across the enterprise,” Lefferts writes.
U.K. security researcher Kevin Beaumont writes on Twitter that Microsoft will move the needle if it can ensure malicious documents can be opened with no risk to users.
One of the biggest challenges to global cybersecurity is, yes, macros and Office docs. If Microsoft can eventually get that to a place where files automatically open in secure containers without impacting users, it will move needle.— Kevin Beaumont (@GossiTheDog) November 5, 2019
Macro Malware Resurgence
In September 2018, Microsoft said it noticed a “resurgence” in macro-based campaigns. The activity spanned across the spectrum, from commodity malware campaigns to targeted attacks and in red-teaming activity, it said. One of the most significant problems with malicious macros is that the code can be obfuscated, making it difficult make an automated judgement on intent.
“Macro source codes are easy to obfuscate, and a plethora of free tools are available for attackers to automatically do this," Microsoft wrote. “This results in polymorphic malware, with evolving obfuscation patterns and multiple obfuscated variants of the same malicious macro.”
Earlier this year, researchers Stan Hegt and Pieter Ceelen, both of the Dutch security consultancy Outflank, released Evil Clippy, a tool for creating malicious macros that can bypass security products.
Evil Clippy works across Windows, Linux and macOS. When it was released, the authors said it was capable of placing a macro part of the Cobalt Strike penetration testing platform to evade anti-virus products and other malicious document analysis tools.