Adversaries adjust strategies following Microsoft's macro blockade Implemented over a year ago
In recent months, there has been a notable shift in the tactics used by cyber threat actors. This evolution has been highlighted by an increase in the use of OneNote files and a method called HTML smuggling, according to a report released by Proofpoint.
OneNote files, traditionally known for their use in productivity and note-taking with Microsoft 365, have emerged as a new file type used in attack chains. Since early 2023, there has been a spike in the use of OneNote files containing embedded scripts in attacks. This trend was first mentioned by Selena Larson, senior threat intelligence analyst at Proofpoint.
HTML smuggling, a technique that involves smuggling an encoded script within an HTML attachment, has also seen a rise since June 2022. The malicious payload is unloaded on the victim's computer when the user opens the link. This method was initially employed by known threat actors TA570 and TA577, but after October 2022, it was used in campaigns by other groups.
This shift away from macros, which were previously commonly used in attacks, is significant. Microsoft announced steps in October 2021 and February 2022 to block XL4 and VBA macros by default, respectively. Since then, the use of macros has significantly decreased, with a drop by two-thirds observed after Microsoft began blocking those macros.
Multiple groups, including initial access brokers, have been observed using PDF attachments to launch attacks since December 2022, with a spike in early 2023. However, threat actors regularly change the file types they use in their attacks, suggesting a more adaptive and evolving threat landscape.
Proofpoint observed almost 700 campaigns using VBA macros in 2021 and nearly the same number of campaigns using XL4 macros. However, since June 2022, specific hacker groups are not explicitly named in the sources as having increased the use of HTML hiding techniques after Microsoft started blocking macros by default. Instead, attackers have evolved to hide malware in pixel image files within Microsoft-Compiled-HTML-Help files and use advanced living-off-the-land tools to evade detection.
While Microsoft officials did not respond to a request for comment regarding the shift in attack tactics, the data suggests a clear trend towards more sophisticated and less predictable methods being used by cyber threat actors. As always, it is crucial for users to remain vigilant and practise safe computing habits to protect themselves from these threats.
Read also:
- East Asian countries should be cautious, as scamming operations are moving towards the region - it's high time we stay vigilant. - Phar Kim Beng
- Senators pressure nominated leader of CISA on election security concerns, focus of agency highlighted
- Digital passwords come under pressure as major tech companies move towards strengthened security measures
- Blockaid's security services now integrated into D'CENT Wallet, enhancing Web3's safety measures.
