IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Microsoft's secure VBA macro rules already being bypassed by hackers

Recent analysis of Emotet activity has revealed a shift away from malicious Office documents to drop malware

The cyber criminal group operating the resurgent Emotet botnet have been observed trialling new attack techniques after Microsoft’s new rules on macro-enabled documents come into force.

Attributed to Threat Actor 542 (TA542), Proofpoint researchers said Emotet has been observed taking a ‘spring break’ with low levels of activity coinciding with observed changes in attack methodology.

Emotet has typically exploited weak rules on macro-enabled Microsoft Office documents to deliver the malware payload to victims, but now Microsoft has made the default handling of macro-enabled documents more secure, its attack vectors are seemingly about to change. 

In a report published today, Proofpoint said it observed Emotet moving away from malicious Office documents and instead is now opting to include OneDrive URLs in spam email campaigns that lead to the download of a zip archive containing XLL files that drop Emotet malware.

The malicious emails are typically designed to lure victims with one-word subject lines such as ‘Salary’ with the zip archive files adopting similar file names as the original lure: ‘’ was one example which contained XLL file names such as ‘Salary_and_bonuses-04.01.2022.xll’.

The XLL files will drop and run Emotet which uses the Epoch 4 botnet, Proofpoint said. It’s a new attack method, the timing of which - coinciding with Microsoft’s more secure handling of VBA macros - is not a coincidence.

Asked whether the trial of new attack tactics, techniques, and procedures (TTPs) was linked to the new rules on macro-enabled Office documents, Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, said it “absolutely” was.

“This is something threat actors who are agile and experienced like TA542 will likely continue to do as time goes on,” she said to IT Pro. “The Microsoft choice to make changes to default handling of macro documents has implications on the threat landscape and this could be a part of threat actors making decisions to leverage new attack chains that aren’t impacted by that decision.

“Malicious macro documents are a large part of the threat landscape, but they’re not the only option. We regularly observe actors using container files like .iso’s, for example. Threat actor groups will continue to experiment, and early signs point towards XLL files being one direction the landscape may shift toward.”

Microsoft announced changes to the default handling of VBA macros in February, the rules of which came into force this month. It also said it would disable XL4 macros last year, both moves were made to stymie cyber attacks using this method of payload delivery.

Related Resource

Security awareness training strategies for account takeover protection

Why you need an inside-the-perimeter strategy for internal threats

Security awareness training strategies for account takeover protection - whitepaper from MimecastFree download

IT Pro asked Proofpoint for data on the number of successful Emotet attacks it has observed, and the number of Emotet attacks taking place since its 2021 resurgence, but it was unable to share the data.

Other cyber security outfits, such as Black Lotus Labs, have published their findings after tracking Emotet’s new version, saying that in March 2022, unique Emotet detections were in the tens of thousands per day. Check Point also said it was the most prevalent malware strain it tracked in March 2022.

“After months of consistent activity, Emotet is switching things up,” said DeGrippo. “It is likely the threat actor is testing new behaviours on a small scale before delivering them to victims more broadly, or to distribute via new TTPs alongside its existing high-volume campaigns.

“Organisations should be aware of the new techniques and ensure they are implementing defences accordingly.”

Featured Resources

Big data for finance

How to leverage big data analytics and AI in the finance sector

Free Download

Ten critical factors for cloud analytics success

Cloud-native, intelligent, and automated data management strategies to accelerate time to value and ROI

Free Download

Remove barriers and reconnect with your customers

The $260 billion dollar friction problem businesses don't know they have

Free Download

The future of work is already here. Now’s the time to secure it.

Robust security to protect and enable your business

Free Download

Most Popular

How to secure your hybrid workforce
Advertisement Feature

How to secure your hybrid workforce

23 Sep 2022
What your hybrid workforce needs from their laptops
Advertisement Feature

What your hybrid workforce needs from their laptops

21 Sep 2022
Why collaboration is key to digital transformation

Why collaboration is key to digital transformation

13 Sep 2022