Do you deal with MS Word files on the daily basis?
If yes, then are you aware that even opening a simple doc file could compromise your system?
It is a matter to think that the virus does not directly affect you, but it is you who let the virus carry out the attack by enabling deadly "Macros" to view the doc contents that are generally on eye-catching subjects like bank invoice.
How Macros are Crippling your System?
The concept of Macros dates back to 1990s. You must be familiar with this message: "Warning: This document contains macros."
A Macro is a series of commands and actions that help to automate some tasks. Microsoft Office programs support Macros written in Visual Basic for Applications (VBA), but they can also be used for malicious activities like installing malware.
Hackers are cleverly using this technique on the shade of social engineering by sending the malicious Macros through doc file or spreadsheet with an eye-catching subject in the mail to the corporate networks.
Once a user opens the malicious Word document, the doc file gets downloaded to its system. However, danger comes in when the user opens the file, and a popup window appears that states "Enable Editing" to view the content.
Once the users click Enable Editing, the malicious file then begins to perform the notorious activities in the system such as to get embedded into other doc files to proliferate the attacking rate that results in crippling your system network.
All those actions would depend upon payload program defines inside the Macro.
Dridex and Locky are Warning Bells!!!
No other incidents could get you the clear picture on the potential threat of Macro viruses apart from Dridex Malware and Locky Ransomware. Both malware had made use of the malicious Macros to hijack systems.
Over 20 Million Euro had been stolen from the UK banks with the Dridex Malware, which got triggered via a nasty macro virus. The infectious bar of Locky ransomware had also seen an exponential growth in a couple of hours.
How to Protect Yourself from Macro-based Malware?
Step 1: Configure Trusted Location
Since disabling Macros is not a feasible option, especially in an office environment where Macros are designed to simplify the complex task with automation.
So, if your organization relies on Macros, you can move files that use Macros into the company’s DMZ (Demilitarized Zone), also called Trusted Location.
To configure the trusted location, you can navigate via:
User Configuration/Administrative Templates/Microsoft Office XXX 20XX/Application Settings/Security/Trust Center/Trusted Locations
Once configured, the Macros that does not belong to the trusted location would not run in any way, beefing up your system’s security.
Step 2: Block Macros in Office Files that came from the Internet
Microsoft had recently unveiled a novel method by implementing a new tactical security feature to limit the Macro execution attack in MS Office 2016, ultimately preventing your system from hijacking.
The new feature is a group policy setting that lets enterprise administrators to disable macros from running in Office files that come from the Internet.
The new setting is called, "Block macros from running in Office files from the Internet" and can be navigated through the group policy management editor under:
User configuration > Administrative templates > Microsoft Word 2016 > Word Options > Security > Trust Center
It can be configured for each Office application.
By enabling this option, macros that come from the Internet are blocked from running even if you have ‘enable all macros’ in the Macros Settings.
Moreover, instead of having the option to ‘Enable Editing,’ you’ll receive a notification that macros are blocked from running, as the document comes from an Untrusted Source.
The only way to run that particular Office file is to save it to a trusted location, allowing macros to run.