Wednesday, May 28, 2025
HomeMalwareHackers Use New Tactics To Spread Malware as Microsoft Blocked Macros by...

Hackers Use New Tactics To Spread Malware as Microsoft Blocked Macros by Default

Published on

SIEM as a Service

Follow Us on Google News

As Microsoft Office began blocking malicious macros by default in many of its programs, hackers began to change their tactics after they had previously distributed malware via phishing attachments with malicious macros.

The cybersecurity experts at Proofpoint have claimed that it has now become more common for hackers to use new file types such as:- 

  • ISO
  • RAR
  • Windows Shortcut (LNK) attachments

There are several types of macros that can be created in Microsoft Office programs that automate repetitive tasks. These include VBA macros and XL4 macros. While the threat actors use them in a variety of ways, including:-

- Advertisement - Google News
  • Malware loading
  • Dropping malware
  • Installing malware

It is because Microsoft announced that they were going to block macros by default on their Office subsystem in order to end the abuse of the subsystem that Microsoft was experiencing.

In this way, the hackers will have a harder time activating them, so the users will be safer. 

Shifting to New Tactics

Compared to the same period last year, macros have been used 66% less, a clear sign that there has been a shift away from macros as a means of distributing payloads.

There is also an increase of almost 175% in the use of container files, which have grown steadily over the past few years. The use of LNK files has been reported by at least 10 different threat actors since February 2022, which is quite a large number.

Since the month of October 2021, there was an increase of 1,675% in the number of campaigns containing LNK files. These new methods have led to the distribution of several notable malware families, including:-

While apart from this, Proofpoint analysts have tracked these events and found that the use of HTML attachments to drop malicious files on the host system has increased significantly in the past year. 

Despite this, they continue to have small distribution volumes despite their growing popularity. It is now becoming more common for threat actors to use a variety of file types in order to gain access to files at the beginning instead of macro-enabled documents. 

LNK files and ISO formats have been adopted due to this change. Microsoft’s macro blocking protection can be bypassed using such filetypes, as well as the distribution of executable files can be simplified.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Threat Actors Use Fake DocuSign Notifications to Steal Corporate Data

DocuSign has emerged as a cornerstone for over 1.6 million customers worldwide, including 95%...

Government Calls on Organizations to Adopt SIEM and SOAR Solutions

In a landmark initiative, international cybersecurity agencies have released a comprehensive series of publications...

WordPress TI WooCommerce Wishlist Plugin Flaw Puts Over 100,000 Websites at Risk of Cyberattack

A severe security flaw has been identified in the TI WooCommerce Wishlist plugin, a...

Microsoft Alerts on Void Blizzard Hackers Targeting Telecommunications and IT Sectors

Microsoft Threat Intelligence Center (MSTIC) has issued a critical warning about a cluster of...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Exploit Craft CMS Vulnerability to Inject Cryptocurrency Miner Malware

Threat actors have exploited a critical Remote Code Execution (RCE) vulnerability, identified as CVE-2025-32432,...

APT36 and Sidecopy Hackers Target India’s Critical Infrastructure with Malware Attacks

Seqrite Labs, India’s largest malware analysis facility, has uncovered a sophisticated campaign dubbed Operation...

Silver RAT Malware Employs New Anti-Virus Bypass Techniques to Execute Malicious Activities

A newly identified strain of malware, dubbed Silver RAT, has emerged as a significant...