Default Microsoft macro blocking circumvented by threat actors

Threatpost reports that while malicious macro-enabled attachment use dropped by nearly 66% from October 2021 to June 2022 as a result of Microsoft blocking Office macros by default, threat actors have been leveraging new tactics to get around Microsoft's defense strategy in new phishing attacks. Threat actors have been circumventing default macro blocking by leveraging container file formats, with malicious campaigns using ISO, RAR, and LNK files having increased by almost 175% during the same period, a report from Proofpoint revealed. "When the document is extracted, the user will still have to enable macros for the malicious code to automatically execute, but the file system will not identify the document as coming from the web," said researchers. The report also showed that container files could be leveraged for direct payload distribution through the inclusion of DLLs, LNKs, and other executable files. Moreover, exploitation of XLL files in malware campaigns has also increased slightly, according to Proofpoint.