Robert Lemos, writing in May at Dark Reading:
Microsoft Office documents with malicious macros — often called “maldocs” — have resurged as a vector to infect systems, growing in the last half of 2020 to account for more than a third of malicious attachments and, at one point in September 2020, accounting for almost 80% of malicious attachments, according to data from Sophos.
Macros have had a long history of use by attackers, with many early viruses and worms — including the Melissa virus — using Office documents with malicious macros to spread. Both Microsoft Word documents and Excel spreadsheets are equally popular among attackers, and modern cybercrime services allow attackers to easily create maldocs. Some macros even allow attacks on the MacOS.
As I was writing earlier today about Safari’s slow development cycle compared to Chrome’s rapid introduction of APIs that pose new security and privacy risks, I remembered that we have been down this road before.
Microsoft Office, like the web, began purely as a document-based medium. But through features like macros, it became practical to create programs within Word documents and Excel spreadsheets. That opened up automation possibilities. It also created one of the most frequently-used exploit vectors on Windows. Microsoft has spent decades trying to improve security but, ultimately, individual users often find themselves as the ill-equipped defence against these attacks:
Overall, security awareness training may be the best way to harden the workforce against running macros. Microsoft has already added warnings by default to any attempt to run unsigned macros, but users can still accept macros and run them.
“Maybe we could see a shift in the industry or a shift in the use of it. We could really demand an alternative,” [Kilian Englert of Varonis] says. “Mistakes happen, and we shouldn’t ascribe blame to the end user. It is our job as security professionals to give them the best defenses that we can and then have tools to defend them.”
We ought to learn from these mistakes, not repeat them.