‘Warning: This document contains macros‘
Using Microsoft Office documents of any format at work every day is a risky business. This is because of a convenient innovation which turned out to be a great vulnerability – the humble macro. The macro can be ignored. Or it can be disabled. Or it can be enabled – and all that technological magic can introduce your system to venemous malware such as Dridex or Locky in the time it takes to say information superhighway-robbery. Macros are small things that contain big capabilities (hence ‘macro’); they can facilitate a time-saving routine office procedure, or fundamentally change a basic data document into an inter-continental strategic malware missile.
The concept of macro enabling was dreamed up in the naughty ‘nineties, when everything was about using technology to maximize user convenience, and not much thought was given to security. It is as though the developers were all wearing rose-tinted glasses. Macros are coding that contain a series of commands to start a process. They are powerful possibilities contained in small segments of code. Microsoft Office programs support VBA macros (Visual Basic for Applications) which is now being appropriated by cyber-thieves for the delivering malware – increasingly targeting financial business and corporate systems. Last year, Dridex was introduced to the U.K banking community as a tiny macro, and left the scene 20m Euro wealthier.
Increasingly, malware authors are using social engineering methods to convince a user to open documents. This psychology appeals to the recipient in some way to trigger the need to click open – for example, a notice seemingly about an unpaid bill, or money that is waiting for the user to claim. Also, spearphising is used, where some relevant and correct details connected to the user are employed in the ‘mail’s title to lend veracity. The most simple case is a reference to the geo-location of the victim which can be found very easily. Or reference to a specific department of a company – this sort of information is readily available on a firm’s website. When the ‘mail is opened, a notice will appear informing that to view the content, something like ‘Enable Editing’ must be clicked on – this is the start of the end…
How to defend against macro-launched malware
First line of defence:
For the private user, disabling macros is simple enough and prevents mistakes. In an office environment, this isn’t a feasible option in many cases. The alternative is to transfer files to a Trusted Location, which is a safe (or Demilitarized) zone where malware cannot cause damage. This can be configured via:
User Configuration -> Administrative Templates -> Microsoft Office XXX 20XX -> Application Settings -> Security -> Trust Center -> Trusted Location
Once set up, malicious macros not configured to operate in the Trusted Location are emasculated and cannot run.
Secondary line of defence:
After knowing of the potential dangers of Office-born Macros for some time, Microsoft has finally come up with a solution. This feature – Block macros from running in Office files from the Internet is now standard in MS Office 2016 and prevents internet-delivered macros from executing. It is configured via the Group Policy Management Editor:
User configuration -> Administrative templates -> Microsoft Word 2016 -> Word Options -> Security -> Trust Center
This will block internet delivered macro execution even if the the settings are for ‘enabled’ in macro settings, over-riding this permission. Note: this must be implemented for each Office application individually. With this option running, instead of having the trip-wire opportunity of a booby-trapped macro request for Enable Editing, Office will notify the user that macros have been blocked as they come from an Untrusted Source. Then there is the prompt to move the file to the Trusted Location for reading.
These two steps should guard companies and private users. When things at work are very busy – or very slow, and attention in the office wanders a little – these steps could prevent a 20m inter-continental malware missile attack!
