While most email users are well aware that you should avoid opening up .EXE attachments, most will not think twice about opening up an emailed document with a .DOC, .DOCX or .RTF file name.
There are a lot of situations in daily working life where you may need to open these documents, but Sophos is now warning that that may also contain malware.
Many Microsoft products, including Office applications, include a component known as VBA, short for Visual Basic for Applications.
You can add VBA code into files such as documents and spreadsheets, and many people do. VBA is a programming language that is as likely to be used by accountants and auditors as well as software engineers and sysadmins.
According to Sophos, cyber criminals have been getting back into VBA malware, or macro malware as they used to be called back in the late 90s.
“The trick is that the VBA malware is usually just the start of the attack. VBA runs once in the background when you open the document, and installs or downloads a .EXE file for you, without asking,” explains Paul Ducklin, senior security advisor at Sophos.
“That means you are never confronted with a decision on whether to accept or open an executable, or to download and run a program. Instead you’re only ever faced with an innocent-looking document, which you could be forgiven for opening, especially if you routinely receive and process documents sent in by customers, suppliers, colleagues and others.”
This results in the malware writer ending up with a full-strength executable file installed, which will keep on running in the background not only after you close the downloader document, but even when you logout or reboot.
So what can you do to avoid macro malware? Here are Ducklin’s top tips:
– Don’t be tempted to reduce security (e.g. by enabling VBA macros) because a document tells you to. Malware may even tell you that macros need to be enabled "for security purposes." Immediately consider any such document to be untruthworthy.
– Consider blocking Office files emailed from outside if they contain macros. VBA macros used in your organisation should ideally only ever originate internally from IT, not from untrusted outside sources.
Image source: Shutterstock