As if we didn’t know that ransomware was bad news — we learned just how big of an epidemic this stuff is becoming with the WannaCry attack earlier this month. The scope of this particular attack was truly astonishing, reaching hundreds of thousands of users in over 150 countries worldwide. From a security perspective — we have to learn from attacks like WannaCry in order to help prevent or mitigate them in the future. And even though WannaCry seems like it may be in our rearview mirror now, cyber criminals are incredibly creative and always looking for a new angle for the next big attack. One of the angles we’ve recently observed, and seems to be making a comeback is an attempted attack sent through email that asks the user to “enable macros.”
Highlighted Threat: This particular threat attempts to convince the recipient to “enable macros” or “enable content” in order to launch an attack.
The Enable Macros phishing attack uses a few different steps and techniques to try and gain the recipient’s attention and ultimately launch an attack. In this particular example, the first step the attacker takes is to send an intimidating email to the recipient that would seem to be from an authoritative department — it just so happens that the address is forged. This email also contains an attached Microsoft Office document. Interestingly, the sender isn’t looking for a reply, but rather for the recipient to open the attached file. To make the message appear important, they forged the sender’s address to make it look like it was coming from an authority.
If the document is opened, and if macros are not enabled, the recipient may get a warning that says the document “contains macros.” In general, macros allow users to automate frequently used tasks, however, macros pose a security risk because someone with malicious intent can actually introduce a destructive macro in a document or file to launch an attack. For this reason, it’s not uncommon that a system administrator would implement a policy so that employees can’t enable macros on their own. In contrast, some organizations routinely use Office macros where users will actually have them enabled by default, and even if they don’t — users will already be conditioned to enable them without hesitation. You can find more information about macros here in Microsoft’s support page: https://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-documents-7b4fdd2e-174f-47e2-9611-9efe4f860b12
Here’s what a possible “enable content” alert could look like to the user:
When the attached file is opened, the recipient will be asked to “enable macros” or “enable content,” but regardless of which wording is used — they both mean the same thing. Typically, these documents contain a macro called “Auto_Open” or “Document_Open,” but it could really be any one of a dozen or so magic names that cause Microsoft Office to automatically run the macro once the document is opened. The scary thing is that running the macro doesn’t require any interaction from the user aside from simply opening the file. In the case here, if the recipient enables macros or if the recipient already has macros enabled in their Microsoft Office configuration — the malicious payload will run immediately. The main payload may be the Office macro itself, or often the Office macro may merely be a downloader that fetches the real payload somewhere off of the Internet.
The payload could be anything, but of course the most popular payload these days is ransomware. If ransomware happened to be the payload here, the malicious software would silently encrypt every file on the computer once the document was opened. This is a great example of how easy it could be to launch a ransomware attack through email, and like we witnessed with the WannaCry attack — things can get bad really fast.
As you can see, this particular attack attempt depends on the following techniques:
- Phishing: To initiate correspondence, the attacker sends a convincing email with a forged sender address to persuade the user to open the attached file.
- Malicious software: In this instance, either the attack could be launched once the attachment is opened or as soon as the user enables macros on their machine.
While analyzing this particular threat we also took a look at the domain that the attackers used for a bit more background. We found that the domain was actually created in January and the location of the IP address of the SMTP server is in France, however, when we looked up the A record for the domain, we found it to be in St. Petersburg Russia. All this really shows is how spread across the globe these types of attacks can be, but not actually where the attackers are located — they could really be anywhere.
So, should you enable macros? You may want to think twice.
Companies should assume that they will be attacked and need to be proactive. Regular employee training is incredibly important to ensure people remain aware of attempts like the one illustrated here. Layering employee training with security technologies like sandboxing and advanced threat protection should block malware before it ever reaches the corporate mail server. Additionally, you can deploy anti-phishing protection with Link Protection to look for links to websites that contain malicious code. Links to these compromised websites are blocked, even if those links are buried within the contents of a document.
- Threat Spotlight: W-2 Phishing Scam
- Threat Spotlight: The Airplane Phishing Attack
- Threat Spotlight: Delivery Impersonations