Using BASIC or Visual BASIC programming scripts can add automation and other functions to documents created in the Microsoft Office productivity suite of products. Unfortunately, this feature can be used by cyber-attackers to send malware exploits in otherwise innocuous looking documents that most people would open without a second thought.
The macro virus goes back to 1995, the most infamous being the Melissa email macro virus that $80 million in damages to US Businesses in 1999. Anti-malware tools were updated to bring this under control, and Microsoft released patches to Windows and the Office suite to correct some of the security flaws that allowed this problem to occur. And so the macro virus faded into history.
Even though this threat has lain dormant for nearly 20 years, unfortunately over the last year it has returned. There are a couple of good articles in Sophos and one on Kaspersky (see links that follow) if you want more of the technical details. These exploits will show up in your email as an attached Word, Excel, Powerpoint, or perhaps even a web document or PDF. Look for file attachments ending in .doc, .docx, .xls, ,xlsx, .ppt, .pptx, .mhtml, .pdf.
As we have advised before, checking attachments out in VirusTotal will be your best protection. It never hurts to confirm the purpose and contents of an email attachment with the sender, but instead of hitting reply and sending your query back to the attacker, open a new email from your contact list or make a phone call to the apparent sender. Many times when I have done this the person has not sent anything and the bullet in the inbox was dodged. Accepting unsolicited attachments from unknown senders is just a bad idea at all times.
So watch your inbox and treat all attachments with suspicion, and you should be able to avoid this returning threat.
More Information:
- Sophos – Why Word Macro Viruses Are Back
- Sophos – Why Word malware is BASIC
- Kaspersky – What is a Macro Virus
- Virus Bulletin – MWI-5: Operation HawkEye – a detailed description of the payload and attack vectors.
NOV
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com