Between Microsoft Word, Excel, Outlook and PowerPoint, the Microsoft Office suite facilitates what happens in most enterprises. They can be used for the good – from writing, tracking budget, communicating or presenting. They can also be used for bad as well – documents written using Comic Sans, hitting “reply-all” for a snarky comment that wasn’t meant for the entire company or the dreaded “death by PowerPoint” presentation. Typical end-users only scratch the surface of what each of the tools can do.

Power users can unlock the power of Microsoft Office using the power of macros. Macros can slice and dice data and automate tasks that would take hours to do manually. These tasks can range from the simple from creating a macro to create a letterhead to creating a custom PowerPoint presentation based upon an Excel spreadsheet that queries data from multiple spreadsheets and databases. As Uncle Ben once said, “With great power comes great responsibility”.

Yet, evil can lurk within Microsoft Office Macros. They can be used to create a type of fileless malware, a term given to a type of attack that abuses legitimate tools built into the operating system for nefarious purposes. These types of attacks stay in the shadows – they exploit trusted, legitimate tools that are frequently used, making them challenging to block. They “live-off-the-land” by utilizing tools that are installed by default and not installing an executable.

Creating malicious attachments is not terribly complex. Earlier in 2019 at an BlackHat Asia talk, a group of researchers detailed “Evil Clippy,” a cross-platform tool that can create malicious Microsoft Office documents. This tool was quite effective – the presentation was able to bypass all of the major antivirus products.

With a tool like Evil Clippy, the barrier to entry is lowered and yet macros are a necessary tool for many organizations to do their business.

So, What Can be Done?

At the simplest level, macros can be turned off by an IT administrator for all users. Sounds like an easy plan, except for the fact that macros are commonly used in enterprises to automate tasks. You can use endpoint protection tools for protection, but they only work for attachments where a signature is known. You can look to educate users to teach them what not to open. That works in theory, but all it takes is one user to open a malicious attachment to start an infection.

An effective defense against malicious macros needs to start by anticipating what evil lurks in an attachment and stop it before it can cause a problem. It would be impossible for all of the traffic coming across a network to be manually analyzed. That is why organizations are relying upon new forms of artificial intelligence (AI) to play an increasingly large part of their network defense. AI that can offer additional insight into potential threats and offer security teams information that might take minutes or hours to compile, if at all.

Detection is a crucial part of any organization’s defenses and if they’re not already actively searching for fileless threats, they may be at risk for new threats that can mimic or be based off of tools such as Evil Clippy. The good news is that BluVector Cortex not only offers security teams that insight into threats with AI, it looks at both file-based and fileless events at line speed. When the BluVector Threat Team ran Evil Clippy samples through regression testing, BluVector Cortex detected the threat 63 months ahead of the malware’s creation.