In a brief warning alert last week, US-CERT urged individuals and organizations to proactively secure systems against an increase in malware spread via macros. Mimecast is today offering new guidance to help organizations combat this threat.
Our own research also points to resurgence in this attack technique. We found that:
- 50% of firms have seen email attacks that use macros in attachments increase
- 44% saw increase in attacks with social engineering asking users to enable macros
- 67% are not confident employees would spot this combined attack
These findings came from a recent Mimecast security survey of 436 IT experts at organizations in the US, UK, South Africa and Australia in March 2016.
While most organizations choose to block executable attachments at the gateway by default, they must still allow files such Microsoft Office documents to pass freely if employees are to be productive. Attackers exploit this by weaponizing files in these common formats.
Here’s a recent targeted attack email we saw containing a weaponized attachment:
Mimecast Email Security Guide to Stop Malicious Macros
Here are five recommendations to help you stop weaponized attachments and macro-enabled malware:
- Ensure macros are not enabled by default across your Microsoft Office application estate, and that ‘Protected View’ is enabled at all times
- Consider disabling macros and VBA code in all but essential applications
- Ensure all email attachments are sandboxed by an appropriately advanced email security gateway. Remember non-sandboxing gateways are not able to recognize or signature macros, as the code is not a viral payload
- Consider a secure email gateway that offers the capability to neutralize weaponized attachments, or strip active code from all inbound Office documents
- Train and educate end users to the changing nature of threats in email. Ensure they understand the risks presented to their inboxes, and how to handle unexpected email and attachments. Ensure they understand the hacker’s tactics and how to recognize simple social engineering attacks
You can see more examples in my recent security advisory on macro threats.