Threat actors use new attack techniques after Microsoft blocked macros by default

Pierluigi Paganini July 28, 2022

Threat actors are devising new attack tactics in response to Microsoft’s decision to block Macros by default.

In response to Microsoft’s decision steps to block Excel 4.0 (XLM or XL4) and Visual Basic for Applications (VBA) macros by default in Microsoft Office applications, threat actors are adopting new attack techniques.

Researchers from Proofpoint reported that threat actors are increasingly using container files such as ISO and RAR, and Windows Shortcut (LNK) files in their malware campaigns. Proofpoint researchers noticed that the of ISO, RAR and LNK file attachments reached nearly 175% during the same period and at least 10 malicious actors started using LNK files in their campaigns since February 2022.

“According to an analysis of campaigned threats, which include threats manually analyzed and contextualized by Proofpoint threat researchers, the use of macro-enabled attachments by threat actors decreased approximately 66% between October 2021 and June 2022.” reads the analysis published by Proofpoint.

Before October 2021, most of malicious phishing campaigns were spreading malware using weaponized Office documents. Upon tricking the victims into opening the file, the attack chain will start.

Microsoft’s move to block macros has pushed threat actors in finding alternative techniques to bypass Mark of the Web (MOTW) protections.

The Mark of the Web is a feature that was introduced by Microsoft to determine the origin of a file. If a file was downloaded from the Internet or from another location on a network, it would contain a comment in the file identifying the zone from which the file was downloaded from. Depending on this zone (e.g. intranet, internet etc) Windows would handle the file accordingly so as to avoid users from running or opening potentially harmful files from untrusted sources.

The researchers observed that the number of campaigns containing LNK files has increased by 1,675% since October 2021. Proofpoint tracked multiple threat actors, both cybercriminal gangs and APT groups, leveraging LNK files.

“Threat actors across the threat landscape are pivoting away from macro-enabled documents to increasingly use different filetypes for initial access. This change is led by the adoption ISO and other container file formats, as well as LNK files. Such filetypes can bypass Microsoft’s macro blocking protections, as well as facilitate the distribution of executables that can lead to follow-on malware, data reconnaissance and theft, and ransomware.” concludes the report. “Proofpoint researchers assess with high confidence this is one of the largest email threat landscape shifts in recent history. It is likely threat actors will continue to use container file formats to deliver malware, while relying less on macro-enabled attachments.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, macros)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini August 20, 2025

Britain targets Kyrgyz financial institutions, crypto networks aiding Kremlin

Pierluigi Paganini August 20, 2025