How Cybercriminals Adapted to Microsoft Blocking Macros by Default

One long-awaited security move caused a ripple effect in the cybercrime ecosystem.

3 Min Read
an image of the Microsoft sign and logo on a building
Source: Sundry Photography via Adobe Stock

Ever since Microsoft decided to block Office macros by default, threat actors have been forced to evolve, adopting new methods for delivering malware at an unprecedented rate.

For a long time, threat actors have used malicious Microsoft Office macros to get a hook inside of their target's computers. It was for that reason that, in 2022, Microsoft finally — though unevenly — began blocking macros by default on files downloaded from the Internet.

Now, without their favorite toy, hackers are having to come up with new ways to get their malware where they want it to go.

"In a lot of ways, they're just kind of throwing spaghetti at the wall to see what sticks," says Selena Larson, author of a new report on the trend. "The energy that they're spending to create new attack chains is really unique," and cyber defenders are going to have to keep up.

How Attackers Have Adjusted

Rarely has such a simple policy change made such a big difference in the cybercrime landscape. In 2021, the year of Microsoft's announcement, researchers from Proofpoint tracked well beyond a thousand malicious campaigns utilizing macros.

In 2022 — the year the policy change took effect — macro-enabled attacks plummeted 66%. Thus far in 2023, macros have all but disappeared in cyberattacks.

In their place, hackers need some other solution. Container files emerged as a popular alternative last year, allowing attackers to bypass Microsoft's "mark-of-the-Web" tag for files downloaded from the Internet. Once Microsoft addressed that workaround, however, such files went the way of the macro.

Since then, hackers have been searching for their new golden goose.

For example, in H2 2022, Proofpoint researchers observed a significant rise in HTML smuggling — slipping an encoded script through an HTML attachment. In 2023, good ol' PDFs have proven a popular file format for attackers. And last December, some malicious campaigns began utilizing Microsoft's notes-taking app OneNote as a means for delivering their malware. By January, dozens of threat actors piled onto the trend, and, in recent months, over 120 campaigns have made use of OneNote.

Nothing has stuck, though. "We haven't seen anything that has the same type of durability as the macro-enabled attachment," Larson says.

What This Means for Security Teams

"Attackers are having to be more creative now, which presents more opportunities for them to screw up or make mistakes," Larson says.

Still, forcing cybercriminals out of their comfort zone comes with a cost. "The speed and the rate and scope of the changes that they're making — all the different attack chains that they're experimenting with — stands out," she says.

And so, cyber defenders will have to move equally fast to keep up. "We're having to be proactive to threat actor behavior and come up with new detections and rules and such, because threat actors are trying different ways to bypass existing detections," she says.

Organizations, too, will need to keep up-to-date with the latest trends. Take security trainings: "I know that a lot of the time, people are trained on macro-enabled documents. Now you have to make your users aware of the new PDF methods and use real-world examples of potential threats to incorporate into security training," she says.

"But from an overall, holistic security viewpoint, I don't think there's anything that needs to drastically change, as long as you are ensuring that users are aware," Larson says. "Just being, like, 'Hey, look out for this type of thing!'"

About the Author

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights