News

Microsoft Targets Macro-Borne Malware in Office 365 ProPlus

• By Kurt Mackie
• September 18, 2018

Microsoft recently introduced a technology called Antimalware Scan Interface (AMSI) to Office 365 ProPlus, giving subscribers a new layer of protection against malicious macros.

AMSI has been around since 2015, but only now has it been integrated with Office 365 ProPlus. Microsoft turned AMSI on by default "on the Monthly Channel for Office 365 client applications including Word, Excel, PowerPoint, Access, Visio and Publisher," Microsoft indicated in its announcement last week.

The exact timing of the new protections for Office 365 tenancies wasn't clarified in the announcement. It can sometimes take a month from announcement for Microsoft to roll out a new Office 365 feature.

With AMSI turned on, it's possible to detect malicious software even in obfuscated code, Microsoft's announcement suggested. IT pros also get greater control over what macros can do at runtime.

With AMSI's integration with Office 365 ProPlus, IT professionals now have new Group Policy security setting called "Macro Runtime Scan Scope." This policy lets IT pros disable scanning for all documents, enable scanning for low-trust documents or enable scanning for all documents.

For Office 365 tenancies, AMSI will scan macros at runtime to detect malicious code. However, it won't scan macros under the following conditions:

• Documents opened while macro security settings are set to "Enable All Macros"
• Documents opened from trusted locations
• Documents that are trusted documents
• Documents that contain VBA [Visual Basic for Applications] that is digitally signed by a trusted publisher

AMSI doesn't appear to be a security solution in itself. Instead, Microsoft describes AMSI as a "generic interface standard that allows applications and services to integrate with any antimalware product present on a machine." Apparently, AMSI just enables existing antimalware solutions to check the macros. It can use either Microsoft's antimalware solutions or "third-party" antimalware solutions.

Microsoft pointed to its Windows Defender Advanced Threat Protection service as one endpoint solution that could be used with AMSI.

AMSI does appear to more than just a generic interface, though, because it logs information. It'll log "suspicious URLs" and "suspicious file names," for instance. It'll stop the execution of a macro if it sees the behavior of the macro as being malicious. At that point, the end user will get notified, and it'll also shut down the application.

The use of Office macros may be one of the leading delivery approaches for malware authors, according to recent analysis by Cofense, a provider of e-mail security. Malicious macros in Office documents accounted for "45% of all delivery mechanisms analyzed," Cofense noted in a Sept. 13 blog post. In addition, the macro delivery method was representative of the "most malignant" kinds of malware, including "Geodo, Chanitor, AZORult, and GandCrab."

Basically, macros are popular with malware writers because a single click from end users can enable them. Organizations can block all macros, but that approach might not be viable for "most businesses," the Cofense blog indicated. Cofense recommended having "tailored policies" in place to achieve both security and usability.

Like Cofense, endpoint protection solution provider Barkly also noted the resurgence of macros as a means for spreading malware. A Barkly blog post from last year noted that Microsoft had long ago disabled automatic macro execution. Instead, end users now have to execute the macros themselves. However, the macro attack method became popular again for malware authors because it was easier to get end users to click on a familiar looking documents to execute malicious code than it was to get them to download malicious content, the Barkly post argued.

Microsoft, too, noted the resurgence of Office macros as a means for spreading malware. Its announcement suggested that better operating system and application security may have caused attackers to go that route.

"Continuous improvements in platform and application security have led to the decline of software exploits, and attackers have found a viable alternative infection vector in social engineering attacks that abuse functionalities like VBA macros," Microsoft's announcement indicated.