Microsoft macros: a blessing and a curse. Macros constantly have IT teams grappling between productivity and security. On the one hand, macros eliminate a great deal of monotony for end users by automating repetitive tasks. But, it’s also fairly easy for cybercriminals to embed malware within a macro that can evade security detections.

The solution to this problem isn’t black and white. It falls into a murky, gray area. In today’s workforce, macros are a necessity. And, in today’s threat landscape, robust security has become a necessity. As much as companies may want, they cannot block macros--it would cause serious productivity loss--or ignore security.

Understanding what exactly Microsoft macros are, the advantages they offer and the threats targeting them has become important as IT teams finally work to find the balance between productivity and security.

Macros defined

Macros are centered around automation, reducing the number of monotonous work end users perform and accelerating business productivity. Essentially, a Microsoft user can bundle a set of task functions into one single command that occurs automatically. We can thank macros for allowing us to sort Excel worksheets alphabetically or numerically. Macros are also to thank for the ability to merge or unmerge a group of cells in worksheets. Same goes for transforming data within a cell into a new format. These are just a few examples of macro-enabled tasks that end users perform daily. Many professions, especially the financial services industries, rely heavily on Microsoft (specifically Excel), which makes macros a game changer. If macros automate 10 to 15 tasks in Excel, organizations can save hours, if not a full day's work.

Macros and bad actors: a perfect match

Bad actors long ago figured out that they could hide malicious code within Office macros and have a high success rate of triggering the payload. Microsoft documents--whether Excel, PowerPoint, Word or others--are some of the most common file types used in attacks as they are the most widely used among organizations. Macro-based viruses have been around for decades with the first macro virus, dubbed Concept, appearing in July 1995 targeting Microsoft Word. Macro viruses targeting Excel appeared not long after. There are two main reasons this problem still persists almost 30 years later:

  • Relying too much on detection methodology: As a community, we have put too much emphasis on detection-based principles, meaning many of our security strategies are structured on searching for known malware signatures or known threats. Sometimes this also includes placing the onus on the end user to spot malicious attempts via phishing awareness training and other threat education practices. But, there are so many unknowns and advanced threats that detection-based strategies are inherently flawed. It’s extremely easy for a bad actor to create an unknown, zero-day threat. All it takes is a slightly modified piece of known malicious code and then it’s a zero-day not on malware signature databases that can bypass antivirus or sandboxing technologies. Malicious code also often gets embedded so deep within the macro and file contents that it’s unscannable by detection technologies. Detection does not equal prevention, and in some cases, once security teams detect the threat it’s already too late.
  • Advanced social engineering: Bad actors disguise the content containing the malicious code as innocent. Even the most security-conscious individuals are fooled. Attackers can spoof send-from email addresses/servers to appear as if they are coming from a trusted source--a coworker or legitimate company like FedEx. The bad actor will use jargon and language that the recipient would expect to receive from the anticipated source. This ties in to the idea that detection-based principles are not sufficient enough for today's threats. Phishing awareness training will reduce an organization’s risk but it cannot, and should not, be the primary source of protection. There’s typically always a degree of human error at the hands of socially engineered attacks. If these attacks are so socially engineered that they can fool and bypass security systems, imagine how many times they can fool end users and penetrate the network.

Knowledge is power

Macro-based threats are not new, but still plague organizations across the globe. Preventing macro- and other file-borne threats may appear like a small component of overall security strategies, but it can have the biggest impact. Microsoft Office has billions of users worldwide, resulting in an extremely large attack surface ripe with possibilities for opportunistic hackers. It doesn’t take an advanced, nation-state group to conduct these attacks, amateur hackers exploit macros all of the time.

When it comes to preventing macro-based threats, leverage knowledge as the best weapon. Understanding what macros truly are and how bad actors are exploiting them will shine a light on the weak spots in security strategies and allow us to turn that knowledge into action. Here are the questions security teams should ask when building out a file security strategy and seeking a solution provider:

  • How does the organization identify and neutralize unidentified file objects? Does that include malicious macros?
  • How does the organization prevent threats? How does it search for known bad or known good?
  • Is file fidelity and usability affected? How will it impact productivity as a result?

I often find that the answers to these questions are quite telling and serve as a great guide for security pros to better understand the reality of their overall programs and where they can improve that will benefit not only security, but the company as a whole.

Aviv Grafi, founder and CTO, Votiro