How Cybercriminals Adapted to Microsoft Blocking Macros by Default

One long-awaited security move caused a ripple effect in the cybercrime ecosystem.

Ever since Microsoft decided to block Office macros by default, threat actors have been forced to evolve, adopting new methods for delivering malware at an unprecedented rate.
For a long time,
threat actors have used
malicious Microsoft Office macros
to get a hook inside of their targets computers. It was for that reason that, in 2022, Microsoft finally — though unevenly —
began blocking macros by default
on files downloaded from the Internet.
Now, without their favorite toy, hackers are having to come up with new ways to get their malware where they want it to go.
In a lot of ways, theyre just kind of throwing spaghetti at the wall to see what sticks, says Selena Larson, author of
a new report on the trend
. The energy that theyre spending to create new attack chains is really unique, and cyber defenders are going to have to keep up.
Rarely has such a simple policy change made such a big difference in the cybercrime landscape. In 2021, the year of Microsofts announcement, researchers from Proofpoint tracked well beyond a thousand malicious campaigns utilizing macros.
In 2022 — the year the policy change took effect — macro-enabled attacks plummeted 66%. Thus far in 2023, macros have all but disappeared in cyberattacks.
In their place, hackers need some other solution.
Container files emerged as a popular alternative
last year, allowing attackers to bypass Microsofts mark-of-the-Web tag for files downloaded from the Internet. Once Microsoft addressed that workaround, however, such files went the way of the macro.
Since then, hackers have been searching for their new golden goose.
For example, in H2 2022, Proofpoint researchers observed a significant rise in
HTML smuggling
— slipping an encoded script through an HTML attachment. In 2023, good ol PDFs have proven a popular file format for attackers. And last December, some malicious campaigns began utilizing Microsofts notes-taking app OneNote as a means for delivering their malware. By January, dozens of threat actors piled onto the trend, and, in recent months, over 120 campaigns have made use of OneNote.
Nothing has stuck, though. We havent seen anything that has the same type of durability as the macro-enabled attachment, Larson says.
Attackers are having to be more creative now, which presents more opportunities for them to screw up or make mistakes, Larson says.
Still, forcing cybercriminals out of their comfort zone comes with a cost. The speed and the rate and scope of the changes that theyre making — all the different attack chains that theyre experimenting with — stands out, she says.
And so, cyber defenders will have to move equally fast to keep up. Were having to be proactive to threat actor behavior and come up with new detections and rules and such, because threat actors are trying different ways to bypass existing detections, she says.
Organizations, too, will need to keep up-to-date with the latest trends. Take security trainings: I know that a lot of the time, people are trained on macro-enabled documents. Now you have to make your users aware of the new PDF methods and use real-world examples of potential threats to incorporate into security training, she says.
But from an overall, holistic security viewpoint, I dont think theres anything that needs to drastically change, as long as you are ensuring that users are aware, Larson says. Just being, like, Hey, look out for this type of thing!

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
How Cybercriminals Adapted to Microsoft Blocking Macros by Default