Malicious Macros - Have you received a fake invoice?

Today I'm covering another strategy from the Australian Signals Directorate’s Essential 8: Disabling untrusted Microsoft Office macros.

We’ll be looking at strategies to protect against malicious macros. These strategies can all be implemented in a Windows domain environment using Group Policy and they do not require third party software. This might not be the most exciting subject in the world, but grab a coffee and stick with me, it’s important.

Office macros have been around for a long time and are a great way to automate repetitive tasks. Unfortunately they continue to be a popular way for cyber-criminals to deliver malicious payloads to computers. They are popular because it's much easier to get a person to interact with an Office document, than it is coaxing them into running a suspicious executable (that is also more likely to get picked up by anti-virus). Especially if the document is disguised as something they deal with daily in their work life, such as an invoice or remittance advice.

Malware is often spread via email spam that uses an Office macro to kick off the infection process and download additional components. These messages will often come from a trusted source, someone the recipient knows, that's already been infected. Emotet is an example of malware that is currently spreading via malicious email spam, and that uses macro enabled Word documents. This nasty piece of malware has many tricks up its sleeve and can steal passwords and also extract email data.

Once upon a time Office macros ran by default, fortunately these days the default setting in Microsoft Office is to disable and prompt to enable. I'm sure everyone is used to seeing the security warning:


That looks pretty good, should be protection enough, right? Unfortunately not. In many cases people become accustomed to clicking Enable Content without thinking, in our busy working lives it's certainly easy to become oblivious to this type of warning. Even if you receive your overdue invoice email and you're unsure about proceeding, the cyber-criminals are very helpful and often provide easy to read instructions, to encourage you along, this one looks pretty official:


Microsoft introduced an additional security measure in Office 2013/2016 that can block macros in Word, Excel and PowerPoint documents coming from the internet. This includes documents coming in via email and downloaded from websites or storage accounts like Dropbox. This setting is controlled through Group Policy and should be enabled as it greatly reduces the risk of malicious macros entering your environment and running. This is certainly not a replacement for email and web content filtering, they should of course still be in place.  See what happens when I choose to try to enable a macro received though email with this setting in place:


This is a great start, but we still need to do some additional work here to ensure our environment is secure. A simple Save As will work around this restriction. You need additional restrictions in place, the options here are:

Disable Macros

Ideally, you disable macros from running completely. This should be controlled through Group Policy so it can't be changed on a computer. Certain business processes may require macro functionality however, so in many cases it won’t be practical to disable functionality across all parts of an organisation. But perhaps macros can be disabled for a subset of employees or for certain Office applications across all users. For example, maybe only a small number of people need to run Excel macros and all other Office applications can have the functionality disabled. One rule doesn’t have to suit all, let’'s reduce the attack surface if we can.

For those staff members that need to run macros, we really should look at whitelisting good macros and disabling all others. This can be done in two ways:

Trusted Locations

By specifying one or more trusted locations, which are normally shared network folders. Office documents in these folders bypass any macro restrictions. It's important that access to these folders is restricted, and only approved staff can add or modify macros in Office documents in these trusted folders.

Signed Macros

By signing macros in approved documents with an SSL certificate. This means that documents are not restricted to certain network locations, but does mean that a company needs to purchase a code signing certificate and implement a process whereby an approver signs macros in trusted documents. Group Policies ensure that only macros signed with the approved certificate(s) will be allowed to run, all others will be disabled.

Both of these methods offer a high level of protection against macro malware, which method is preferable will depend primarily on how macros are used in the organisation and acceptable risk levels. That's where the planning part comes in.

Bye for now.


Colin has over 20 years consulting experience working with organisations ranging from small business to large enterprises. He has consulted in the United Kingdom, Canada and Australia. He specialises in Microsoft based technology solutions, disaster recovery implementations and information security.