Hacker use of Microsoft macros plummeted after default block: report

The use of macros in Microsoft Office applications by hackers decreased significantly after the tech giant first decided to block the feature by default, according to a new report from cybersecurity firm Proofpoint.

In a study released Thursday, Proofpoint researchers said they saw a decrease of two-thirds from October 2021 through June 2022 of threat actors using Visual Basic Application (VBA) and XL4 macros, which are series of commands used to automate a repeated task.  


A chart of VBA macro usage. Image: Proofpoint

VBA macros have been used prolifically by cybercriminals and state-backed groups to automatically run malicious content when macros are actively enabled in Office applications, according to Proofpoint, which added that XL4 macros – which are made for Excel – were also popular among threat actors. 

Microsoft declined to comment on the decreases when asked about the report. The company was praised for blocking XL4 Macros in October and VBA in February. It faced significant backlash from security experts when it reversed its decision earlier this month, following complaints from some clients, but quickly reinstated the block last week

Proofpoint researchers said while they saw a drop in macros threats by two-thirds, they saw a 175% increase during the same period in the number of campaigns using container files, which are a compressed collection of files, like ISO and RAR, as well as the Windows shortcut LNK.

“Proofpoint researchers assess with high confidence this is one of the largest email threat landscape shifts in recent history,” they said. 

“It is likely threat actors will continue to use container file formats to deliver malware, while relying less on macro-enabled attachments.”


Image: Proofpoint

The Proofpoint report notes that macros are still used by threat actors, but that there has been a noticeable shift as groups try to get around Microsoft’s Mark of the Web attribute, which the company uses to block VBA macros by determining if a file originated online. 

“Additionally, threat actors can use container files to distribute payloads directly. When opened, container files may contain additional content such as LNKs, DLLs [Dynamic Link Libraries], or executable (.exe) files that lead to the installation of a malicious payload,” Proofpoint researchers explained.

LNKs specifically have been used widely by cybercriminal groups behind malware like Emotet, QBot and Phorpiex, while state-backed groups from Russia, North Korea and elsewhere have also used them in several campaigns.  

Proofpoint said it has seen an increase in ISO and LNK files in campaigns. Usage of the former increased 150% between October and June, with more than half of the 15 hackers being tracked using ISO files since January. 

From February onwards, Proofpoint researchers observed at least 10 groups use LNK files, with a 1,675% increase in LNK files used since October 2021.


Image: Proofpoint

“Threat actors across the threat landscape are pivoting away from macro-enabled documents to increasingly use different filetypes for initial access. This change is led by the adoption of ISO and other container file formats, as well as LNK files,” Proofpoint researchers explained. 

“Such filetypes can bypass Microsoft’s macro blocking protections, as well as facilitate the distribution of executables that can lead to follow-on malware, data reconnaissance and theft, and ransomware.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.