Default macro blocking prompts new malware distribution modes

CyberScoop reports that significantly different attack mechanisms have been leveraged by threat actors for malware distribution since Microsoft decided to block macros by default last year, with macro-dependent phishing campaigns declining by almost 66% from January 2021 to March 2023. While ISO files and LNK files were initially favored by threat actors as new methods to facilitate malware delivery, such approaches petered out early, with the use of ISO files significantly curbed by a Microsoft update in November and LNK file usage peaking last June and September, according to a Proofpoint report. More attackers have since leveraged HTML smuggling, which had its activity spike from June to October before another increase in February, as well as malicious PDF attachments, which gained traction early this year. Such changes in malware delivery methods indicates ongoing experimentation among threat actors, said researchers. "No longer are the most experienced cybercriminal actors relying on one or a few techniques, but rather are frequently developing and iterating new TTPs. The rapid rate of change for many threat actors suggests they have the time, capability, and understanding of the threat landscape to rapidly develop and execute new techniques," researchers added.