Social engineering, in this case phishing, is a huge concern for all organizations. The enterprise spends a lot of time and money implementing technical controls such as firewalls, IDS, and IPS, to combat security concerns. Yet phishing and other social engineering tactics are like water. They have the ability to work through any fracture or unsealed section of the controls.
Office documents with macros are a popular technique for attackers to use to infect an employee’s computer. You know the scenario:
- Employee receives email with word document attached
- Email is interesting or enticing enough for the employee to open the attachment
- Employee enables macros to view the document
- The macro installs malware on the system
Most recently we have been seeing a lot of ransomware being distributed which will encrypt files and only provide a decryption key when you pay some pre-determined fee. Of course, you can typically recover from backups, if you have them. Now is a good time to make sure the backups are working properly, just in case.
Microsoft has added a new feature to Office 2016 to help prevent employees from running the macros in certain scenarios. The simple idea is that if the document comes from the Internet, via email from outside the company domain, or public shares, Word will disable or make it much more difficult to enable the Macros. This is configurable via GPO.
For the full story on how this works, check out Microsoft’s blog post about the feature https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/.
It is great to see features like this added to products. While this does not close every attack vector out there, it helps reduce the risk of a very popular one. Every little bit counts and this is a step in the right direction. If you are using Office 2016, it is a good idea to look into this feature.
James Jardine is the CEO and Principal Consultant at Jardine Software Inc. He has over 15 years of combined development and security experience. If you are interested in learning more about Jardine Software, you can reach him at james@jardinesoftware.com or @jardinesoftware on twitter.