In my experience, one of those most prevalent and common threats to today’s enterprise networks comes in the form of malicious email attachments (shocker!). Attackers leverage document types that are most likely accessible to software installed on the victim endpoint, making Microsoft Office a prime target. Yes, in 2016, malicious macros are still a major problem.
Almost all organizations rely on macros for business functions as they provide significant value in the form of automation. Some security-conscious organizations have even taken the rash approach of blocking macros altogether. Others struggle to find the delicate balance between allowing legitimate macros while reducing the likelihood of malicious code execution via Microsoft Office documents.
As Windows 10 and other modern operating systems migrate towards enforcing trusted digital signatures on executable code, why should enterprise admins continue to allow unsigned micro-code (copied and pasted from Stack Overflow by Jane Doe in accounting) to run rampant? Macro security is not an all or nothing choice; your enterprise can use macros while still reducing (or virtually eliminating) the risk of malicious code in VB projects.
Jessica Payne with the Microsoft Threat Research team makes a great point; even security teams are failing at securing the macro-enabled threat vector!
A lot of great security orgs have done phenomenal red teaming and threat modeling work on app vulns, and get hit via macros via email.
— Jessica Payne (@jepayneMSFT) September 6, 2016
The chart below highlights email as the primary delivery mechanism for ransomware, where email attachments make up a sizable 28%. While not all of these may be macros, it is safe to assume many likely are.
Source: Osterman Research, August 2016
Fortunately, there is a fairly simple (yet grossly underused) solution to this particular problem that is well within reach of enterprises operating their own internal Enterprise Certificate Authority. This means the enterprise has deployed a Trusted Root Certification Authority certificate to all endpoints on the network so that enterprise resources are automatically trusted (think proxies, firewall interception pages, intranet portals, etc.)
Using this same enterprise trust system, system administrators and blue teams can work together to leverage Digital Code Signing and Macro Security settings in Microsoft Office to virtually eliminate the possibility of malicious macros from being executed on domain computers.
Here’s an implementation plan that I have deployed at a large organization with over 10,000 users:
In our implementation of this strategy, we initially reviewed and signed over 200 macros prior to our deadline for signature enforcement. Since the implementation, we receive fewer than 10 macro per week on average - a very light workload for our security team and a small price to pay for a significant increase in our security posture!
If you are considering deploying this effective measure in your own environment, check out this example of a checklist for macro reviewing and signing based on one I developed for my own team. It’s stripped down to the very basics, but a great start to point your code review team in the right direction.