The return of macro attacks

by [Published on 22 June 2016 / Last Updated on 22 June 2016]

Macro attacks are on the rise. Microsoft suggests that 98% of Office-targeted threats are utilising macros presently. Let’s revisit macros, this old-fashioned form of attack - consider ways to deter the threat and look at the new Microsoft Office 2016 feature released to help defend organisations against the resurge in macro attacks.


Do you remember Melissa-the virus? Back in 1999 the notorious fast-spreading macro-virus was distributed as an email attachment. When the attachment was opened, defences in Word 1997 and Word 2000 were disabled. Users with Microsoft Outlook accelerated the spread as the virus was sent on to the first 50 contacts in each user’s address book. The Melissa virus had everyone on edge (even Microsoft shut down incoming emails) and was successful in its destruction. In the 1990s Word macros thrived. After the Melissa virus, Microsoft were forced to reconsider their security and take it more seriously. Microsoft disabled the automated scripts by default hereby forcing attackers to try alternative attack methods.

This older form of attack has returned and unlike the macro-based malware of the 90s, todays macros are more sophisticated, cleverly disguised and often encrypted - resulting in them becoming very challenging to detect. Microsoft say that recently they have noted an increase in macros being downloaded and this has affected over 500,000 machines globally. Recent malware of this kind include ‘Dridex’, a banking Trojan, and the latest is ‘Locky’ which is crypto-ransomware.

‘Locky’ works by disguising itself as an invoice and includes an attached Word doc. When the file is opened and the Macros are enabled, the crypto-ransomware locks down files and a ransom note demands payment for the decryption key, leaving many organisations with little choice but to comply.

Attackers are utilising no-frills social engineering ploys and simple visual basic script to effortlessly execute their attacks. Once again, with the influx of Macro-based malware attacks, Microsoft have been forced to reconsider their security and have released a new feature to help to protect organisations from threats of new and increasing macro-based malware. This is anticipated through the release of a new Macros blocking feature for Office 2016.

What is macro-based malware and why has it made a comeback?

Macros are a set of commands or codes intended to automate specific functions. They can be advantageous and because of this, they are commonly used by organisations to save time on repetitive tasks (in software such as Microsoft Word or Excel) as Microsoft Office programs support macros written in Visual Basic. However, macros can also be used maliciously. Anyone can write a macro to automate a plethora of tasks; this including the creation of macros that can enable malicious software to run on a device or machine.

Macro-based malware relies on the likelihood that the user will enable it and the chance for this occurrence is great, considering the volumes of emails every company receives daily. It takes only one user to slip-up and begin the process.

A macros journey typically follows the same course each time. An email containing some form of persuasive detail, usually in the subject line, coaxing a user to open a spam attachment and download and open a file containing the macro. The macro can subsequently download and install malware onto the machine leaving the machine/system compromised. The documents are usually in Word format but may also be in an Office format like Excel.

Macro-based threats appeared to have died-out and seemed neglected until recently. Why has macro-based malware made such a strong comeback? Could it be that this form of attack is made easier with the popularity of social media? Is it an easy route of attack with a high success rate? It is thought that the resurge of attacks is greatly driven by social engineering and the way in which people interact freely over social media encourages this. The enhancements in software security by companies to stop malicious code from executing, may also have influenced attackers to consider older and workable forms of attack. Old forms of attack provide attackers with a useful contingency when countermeasures and security enhancements stop the spread of malicious applications. The attribute of human naivety and error will always persist and attackers can rely on this. Through either curiosity or trepidation someone will fall for their ruse and the attacker will succeed in their efforts.

With Microsoft’s initial improvements to security, disabling macros by default, attackers are now heavily reliant on the social engineering aspect and the ability to create a convincing scam. The success of recent attacks shows that these attacks work and thus it can be expected that this form of attack will continue to remain for the foreseeable future.

How to prevent a macro-based attack?

The frustration with this type of attack is that there is no way to absolutely guarantee that a user will not mistakenly open a document in an email and enable a malicious macro. It is very likely that this will occur.

It is essential for users to be cautious and to maintain an up-to-date Windows OS and Office - always keep it patched. Ensure that the organisation has a robust security solution in place to protect against and detect malware. A multi-layer approach is always recommended, a combination of the best solutions for anti-malware, anti-spam as well as protection and detection solutions.

It is best to avoid enabling macros on documents that are received from an unknown source.

If the organisation does not use macros for daily tasks, it is always considered best to disable them completely.

Alternatively, steps can be taken to help protect against this type of attack through applying the already available mitigations in Office and by utilising the new macro-blocking feature for Office 2016.

The new feature for Office 2016

Macro viruses almost died out after Microsoft disabled macros by default in its Office programs. The default setting to block macros in all documents has been an included feature for some time but this feature has the option for users to bypass the restriction thereby still placing the user and organisation at risk of infection. With the increase in macro-based threats, Microsoft has aimed to provide an improved feature. The Group Policy setting (‘block macros from running in Office files from the Internet’) can be utilised to disable macros in Office documents received from specific high risk locations. The setting cannot be bypassed by the user; the user is unable to accidently infect the machine as the setting is enabled in Group Policy by the Admin.

The feature in Office 2016 blocks macros from loading in certain high-risk circumstances such as documents downloaded from the internet or storage providers (Dropbox, OneDrive and Google Drive), document attachments sent from outside of the organisation and documents from file-sharing or public sharing. Organisations can define macro use to precise situations and block other macro enablement allowing for better control over macro usage. Not only can the feature be controlled via Group Policy but it can be configured per application too. The Group Policy element can be enabled for Word, Excel and PowerPoint. Finally, if a user attempts to enable a macro the user is issued with a strict notification/warning and they are directed to Admin.


The notable increase in macro-based threats has been emphasised through the release of Microsoft’s new macro blocking feature for Office 2016. Organisations should avoid becoming complacent as this type of threat, although old, is on the increase and is more sophisticated and more difficult to recognise than before. Not only are we noticing a resurgence of macro-based attacks it is likely that these attacks are here to stay and for some time to come. Organisations must take all possible precautionary measures and above all be vigilant. The new feature released for Office 2016 will be useful for organisations to better position themselves and should help to deter this rising threat.

See Also

The Author — Ricky M. & Monique L. Magalhaes

Ricky M. & Monique L. Magalhaes avatar

Ricky M Magalhaes is an International Information Security architect, working with a myriad of high profile organizations. Monique is an international security researcher, she holds a BSc Degree (Cum Laude). Previously she has focussed on research and development at leading enterprises in the Southern hemisphere.