Microsoft’s Fight Against Macros

Summary

Announced just a day ago, was the fact that to combat the macros embedded into documents sent via email and responsible for the carnage of ransomware and other misfit items. Microsoft will now be disabling macros in five Office applications by default.

This is great news. Typically, the tricking of the user was easy to do to get malicious code to run.

Let’s break this down Microsoft’s change.

Starting in April 2022 on Version 2203, which will start with Current Channel (Preview), Microsoft will roll out the option which will prevent the enabling of macros with a click of a button after they have been blocked.

VBA Macros (What are they?)

VBA is short for Visual Basic Application. VBA can be used to access the Windows Application Programming Interface (API). Macros are part of the active content options that Microsoft shipped out as part of the automation capabilities that can allow users to run tasks in the background of things like Word, and Excel documents. Unfortunately, malware creators have used those macro functions and capabilities to download and run malware on a large scale.

Attackers in general have always liked macros, because they often provide a simple and reliable way to spread malware using the legitimate features of the application, all without relying on any existing vulnerability or exploits to work. Attackers like Emotet are well known to send emails that contain malicious Word documents, sometimes as an attachment, but often as a downloadable file that is often stored as a URL link in the email.

This is so they can move the file to new websites to evade blocking those websites once caught… When the user opens the document, they are prompted to enable macros so that the malicious code hidden in that Word document can run and install Emotet malware on the computer.

Blocking Policy (What will it do, and what will it say?) With this new change, untrusted macros will be blocked by default within Access, Excel, PowerPoint, Visio, and Word for any file downloaded from the Internet. Users will also no longer be able to enable content with a simple click of a button.

Instead, a security alert will appear:

SECURITY RISK Microsoft has blocked macros from running because the source of this file is untrusted. Learn More

The Learn More button goes to an article that contains information about the security risk of bad actors using macros, safe practices to prevent phishing and malware, and instructions on how to enable these macros by saving the file and removing the Mark of the Web (MOTW).

Mark of the Web (Tell me more, what is this thing?)

The MOTW is an attribute added to files when Windows sees that the file has been sourced from an untrusted location, like the Internet or a Restricted Zone set by the administrator. Since the new warning and block depend on this MOTW, it is very important to learn what this really is. So, let’s dive a bit deep into this item…

In Windows, when files get downloaded from an untrusted location, like the Internet, they get tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier. This can only happen if the disk where Windows is installed is in NTFS, because FAT32, will not tag this item… so ensure you have NTFS.

Are there ways you can defeat MOTW?

There are currently two main functions that malware can use to circumvent the MOTW attribute. These techniques have been seen in the wild and can be summed up into two main tactics.

• Abusing software that does not see MOTW. This is where the file sent to you as an attachment has a file format which is handled by software that does not set or use the Zone Identifier information. This works because some cloning or archiving software does not propagate the MOTW to the cloned or extracted file.

• Abusing container formats. This is when the payload is in a container format or file format that does not support the NTFS alternate data stream feature. A good example of this is using the ISO format file to store the payload in.

The first item up there will take a bit of sleuthing on the part of the attacker as they will need to know how their victim handles certain file formats… because not all archiving and cloning software removes the MOTW attribute.

What can help you see this today and tomorrow?

In the release of Sysmon 11.1, the XML schema was updated to capture the “Mark of the Web” (MOTW). This data will be captured using the EventID 15 of FileStreamHash event and show the data in the Contents fields. This calculates to right around 3-6 events per downloaded file. This is mainly due to the default behavior of urlmon.dll, or the library responsible for the downloading of files via HTTP. This opens and closes the stream multiple times to allow the appending of the MOTW information. In Sysmon 11.1, once you enable the FileStreamHash event (EventID 15) for certain directories it will be included from there.

With this information, you can see URLs for a downloaded file… but is it useful? Yes, it makes the knowledge of who needs to be triaged easy to determine since you now have a very clear source for where the malicious file came from, and using this event, can find all users who share the same items. So, if you do enable this, please ensure that you setup the folders correctly, making sure to enable this on Downloads folder of a user, the office downloads folder, and anywhere else you think a file will/can be saved to.

Here are some example Sysmon logs that show this:

The 6 Events:

Each event in order below:

Removing the MOTW attribute manually (How do you do this, how can this be risky?)

On a file-by-file basis, users can remove the MOTW attribute in the file properties. This can be helpful to know since the attacker could socially engineer the user to remove this, by claiming this action as “more safe”, or “required

The option to “Unblock” a file can be found in the file properties, on the General tab, under Security. There, a user can put a checkmark in the Unblock option.

Conclusion

Microsoft is implementing a long overdue request, the blocking of macros from untrusted sources. This blocking requires that the systems filesystem be in NFTS, as opposed to FAT. A note of caution is that USB devices may use FAT for cross OS compatibility. Also, not all file types have the Zone Identifier used for triggering the block. Lastly, users may be tricked in turning off this identifier. In short, this is a major improvement to security by Microsoft just not complete in its implementation.

Note: organizations are already able to use the Block macros from running in Office files from the Internet policy. You MUST enable this in Office 365 in order to prevent users from inadvertently opening files from the Internet that contain macros. Microsoft recommends enabling this policy, and if you already have this setting enabled, your organization won’t be affected by this change come early April 2022. This option has been available since Microsoft Office 2013, and all versions thereafter.

Flowchart graphic on how Office determines whether to run macros. (reference here)