Most of us have learned not to enable macros in unexpected Microsoft Office documents. But there is a new malware attack that uses some less obvious social engineering tactics to get people to allow macros to run.

Attackers are looking for more effective attacks, as users learn not to enable embedded macros

Attackers have often used embedded malicious macros into Microsoft Office documents, hoping the recipient of a phishing email clicks on the button to Enable Macros. This can allow an attacker to use more sophisticated methods to get their malware installed on a computer. However, it’s less likely to work these days, now that most users have been taught not to “Enable Macros” if they see the dialog box that pops up when they open a document.


Tricky document notification for converting to compatible version

Phishing attacks now use a document’s text content to trick users into enabling macros through DDE

While it’s much more complicated for an attacker to implement, there is a way that is proving to be more effective for them to trick recipients of a phishing attachment to enable enough privileges to enable them to run their own macros. It involves putting a convincing notice at the top of the Office document that looks legitimate, and which tells the user they need to “upgrade” or “convert” the document to a format that works with their current version by clicking the Enable Editing and then Enable Content buttons displayed by Microsoft.

This approach may appear to be requesting a less threatening action that is required in order to properly view the document. In fact, the rest of the document’s content, after the upgrade notice may appear as improperly formatted content, adding to the plausibility that the document needs to be converted.

The technical actions that occur once the user clicks the “Enable Content” button is very convoluted, but involves enabling Dynamic Data Exchange (DDE). This allows the Word document to download a remote excel spreadsheet and create automated instructions that eventually disable the macro warning, and execute maliciously coded macro.

Keeping end-users aware of new social engineering attacks

It’s a never-ending game of cat and mouse, where attackers find new ways around security technology. All technologies have limitations, and exploiting them can usually done by taking advantage of a user whose behavior can be manipulated.

Click Armor’s gamified learning approach works for phishing, as well as social engineering attacks, by engaging users to learn and then using simulation exercises to let them practice making good risk decisions in a safe environment.

If you are looking for a better way to strengthen end-user awareness again improve their defensive skills against phishing and social engineering, please book a call with us by using the button below.

Cyber Security

Phishing Defense

Phishing threatens businesses and opens the door to ransomware. Fight phishing and spear phishing attacks with gamified learning.

Social Engineering Defense

Social engineering scams are a serious hazard to businesses. Fight back with Click Armor.

Cyber Security Awareness for Remote Workers

Home-based workers are vulnerable to cyber attacks. Build team immunity today.

Privacy and Compliance

PCI Compliance Awareness

When team members work in an environment where they may encounter cardholder data, they need to know what to do to protect it.

Gamified HIPAA Compliance Awareness

If your business is a supplier to a healthcare provider in the USA or Canada, your team needs to know what to do to protect Protected Health information (PHI).

Gamified Learning Platform

Active Awareness Platform

Experience the power of tailored gamified learning with Click Armor. Take your security awareness training to the next level.