Macro-based attacks are a fertile ground for attackers to initiate malware. Microsoft says this method has been used for decades but has emerged prominently in recent years. Social engineering attacks using VBA macros are replacing software-based exploits. “Macros are popular among attackers because of the rich capabilities that the VBA runtime exposes and the privileged context in which macros execute,” Microsoft explains. “Notably, as with all scripting languages, attackers have another advantage: they can hide malicious code through obfuscation.” With AMSI in Office 365 apps, the company can scan macros at runtime to check for malicious content. Included in the package is Microsoft’s improved mechanisms for finding malicious macros behaviour. With AMSI on board, the solutions are available in any antivirus solutions. Attackers usually use code obfuscation to hide malware, with macro source code being among the easiest to change. Indeed, there are plenty of legitimate free solutions that will obfuscate macros code for free. Furthermore, malicious code can then be hidden in documents, such as Microsoft Excel spreadsheets. Microsoft admits companies face a challenge to keep up and find malicious macro code. However, the company says it has made a breakthrough with AMSI integration in Office 365.
Windows Integration
If you are unfamiliar with AMSI, it is an open interface that allows any app to work with it, including any antivirus solution. In Windows 10, it allows applications to sync with antivirus and scan macros at runtime. “Any antivirus can become an AMSI provider and inspect data sent by applications via the AMSI interface,” Microsoft notes. “If the content submitted for scan is detected as malicious, the requesting application can take action to deal with the threat and ensure the safety of the device. To learn more, refer to the AMSI documentation.”