Default macro blocking prompts ransomware attack changes

Threat actors have been veering from leveraging Office macros in ransomware attacks since Microsoft announced that such macros would be disabled by default, with the rate of pre-ransomware events using VBA or Excel 4.0 macros dropping from 55% to 9% between the first and second quarter of 2022, VentureBeat reports. Default blocking of macros has prompted malicious actors to switch to HTML application, shortcut, and disk image files for initial network access, according to a report from Expel. "Microsofts announcement that it would block macros by default in Microsoft Office applications appears to have changed the game for attackers," said Expel Vice President of Security Operations Jonathan Hencinski. New attacks using proven techniques could be curbed by configuring Windows Script Files, HTML for Application, and JavaScript files to operate with Notepad, Hencinski said. Organizations have also been urged to update Windows Explorer to omit ISO file extensions in an effort to prevent unintended execution of malicious software.