MS Office documents armed with malicious macros and sent by email still rank among the tools most commonly employed in ransomware attacks. And the “success” they achieve proves the point, no matter whether the message purports to be an unpaid invoice or financial results that urgently need checking. In the heat of daily business, users are only too eager to quickly click on the attached documents.
A potential security risk: Office macros no longer blocked by default
Microsoft itself is also thoroughly aware of the threat. At the beginning of the year, the software giant announced the default blocking of macros for files downloaded from the internet. Now the company has made a U-turn and at the beginning of July, Microsoft was declaring on its official support portal: “Based on feedback, we’re rolling back this change from Current Channel. We appreciate the feedback we’ve received so far, and we’re working to make improvements in this experience.” Microsoft also announced its intention to continue developing the function, although the page refrained from mentioning a fixed time schedule for making it available again. To add some context to the current measures taken by Microsoft, many IT media channels suspect that there may have been issues with the implementation. According to a test performed by the experts at German tech news outlet Heise Security for instance, in many cases only the regular yellow alert message still appeared. These can simply be clicked away, as many users will know, giving attackers an open path into the company’s network.
Sandboxing and Machine Learning: Detailed analysis of office files boosts detection rates
To provide the best possible protection against these and other similar macro viruses concealed in documents, Retarus crucially advises using a sandboxing solution. In combatting these malware variants and other similarly adaptive threats, machine learning is gaining in importance and should be an essential component in any IT security strategy. State-of-the-art machine learning models are able to detect changes or tampering in executable files especially well – a big weak point in traditional signature-based approaches, which far too often play into the hands of the attackers in scenarios such as those described above. With a sandboxing approach, suspect contents are executed in a secure environment within the Retarus infrastructure, where they are examined thoroughly. In this fully automated process, the focus is often on the file formats exploited for attacks, such as Microsoft Office documents. Emails identified as infected are then deleted or immediately placed in quarantine. Incidentally, the sandboxing technology is run exclusively in Retarus’ own Europe-based data centers – without transferring any sensitive data to third-party providers.
Post Delivery Protection solutions mitigate risks further
To complement the sandboxing approach, Retarus additionally offers a valuable Post Delivery Protection mechanism with its Patient Zero Detection® (PZD). This patented technology allows malicious emails to be found and rendered harmless even after they have been delivered to an inbox. In the best case, this happens before the recipient has even had a chance to open the message or potentially open the harmful attachment. In fact, the majority of PZD findings are already identified within minutes of the initial inbox placement. With around half a million new virus variants every day, this can provide a crucial advantage in minimizing the risk of falling victim to a cyberattack.
