With Microsoft taking steps to block Excel 4.0 (XLM or XL4) and Visual Basic for Applications (VBA) macros by default across Office apps, malicious actors are responding by refining their tactics, techniques, and procedures (TTPs).

"The use of VBA and XL4 Macros decreased approximately 66% from October 2021 through June 2022," Proofpoint said in a report shared with The Hacker News, calling it "one of the largest email threat landscape shifts in recent history."

In its place, adversaries are increasingly pivoting away from macro-enabled documents to other alternatives, including container files such as ISO and RAR as well as Windows Shortcut (LNK) files in campaigns to distribute malware.

"Threat actors pivoting away from directly distributing macro-based attachments in email represents a significant shift in the threat landscape," Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, said in a statement.


"Threat actors are now adopting new tactics to deliver malware, and the increased use of files such as ISO, LNK, and RAR is expected to continue."

VBA macros embedded in Office documents sent via phishing emails have proven to be an effective technique in that it allows threat actors to automatically run malicious content after tricking a recipient into enabling macros via social engineering tactics.

However, Microsoft's plans to block macros in files downloaded from the internet have led to email-based malware campaigns experimenting with other ways to bypass Mark of the Web (MOTW) protections and infect victims.

This involves the use of ISO, RAR and LNK file attachments, which have surged nearly 175% during the same period. At least 10 threat actors are said to have begun using LNK files since February 2022.

"The number of campaigns containing LNK files increased 1,675% since October 2021," the enterprise security company noted, adding the number of attacks using HTML attachments more than doubled from October 2021 to June 2022.


Some of the notable malware families distributed through these new methods consist of Emotet, IcedID, Qakbot, and Bumblebee.

"Generally speaking, these other file types are directly attached to an email in the same way we would previously observe a macro-laden document," DeGrippo told The Hacker News in an emailed response.

"There are also cases where the attack chains are more convoluted, for example, with some recent Qbot campaigns where a .ZIP containing an ISO is embedded within an HTML file directly attached to a message."

"As for getting intended victims to open and click, the methods are the same: a wide array of social engineering tactics to get people to open and click. The preventive measures we use for phishing still apply here."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.