Skip to main content
SolarWinds MSP
  • Login
  • Support
  • Partnerships
    • Partnerships Overview
    • Solution Provider Program
    • Technology Alliance Program
    • Distributor Program
SolarWinds MSP
  • Products
    • Monitoring & Management
    • N-central Automate. Tackle complex networks. Get remote monitoring and management built for efficiency and scale.
    • RMM Start fast. Grow at your own pace. Try this powerful but easy remote monitoring and management solution.
    • Backup
    • Backup Get data protection for servers, workstations, applications, documents, and Microsoft 365 from one dashboard.
    • Security
    • EDR Defend against ransomware, zero-day attacks, and evolving threats with endpoint detection and response.
    • Mail Assure Leverage mail protection and archiving to keep your users safe from email threats and downtime.
    • Passportal Adopt and enforce best practices for password and documentation management with ease.
    • Tools & Services
    • MSP Manager Increase helpdesk efficiency with a robust PSA, ticketing, reporting, and billing management solution.
    • Take Control Help support customers and their devices with remote support tools designed to be fast and powerful.
    • View All
  • Solutions

    Solutions

    • Security Protect your customers and expand your business by offering layered security services without the complexity.
    • Monitoring Choose the right remote monitoring and management solution to meet you where you are and grow with you.
    • Operational Efficiency Boost profits by improving efficiency via automation, resources and training, and time-saving products.
    • IT Departments Keep your organization productive by easily managing IT from a single, easy-to-use, web-based dashboard.
    • Remote Monitoring Solutions Comparison Compare SolarWinds RMM and N-central side by side. Sign up to talk to a specialist to find the right fit.
    • View All
  • Resources
    • Download
    • Resource Library
    • Product Information
    • Free Tools
    • Learn
    • MSP Institute Webinar Series
    • Daily Live Demos
    • MSP Advice Project
    • Ask the N-central Experts
    • Upcoming Webcasts
    • Connect
    • Blog
    • Security Resource Center
    • Events
    • RMM Foundations Training
  • About
    • Company
    • About Us
    • Leadership
    • Careers
    • News & Press
    • Awards & Recognition
    • Support & Policies
    • Customer Success
    • Customer Support
    • Legal
    • Security
    • Get in Touch
    • Contact
    • Get a Quote
    • Worldwide Sales & Support
  • IT Departments
  • Contact Sales
    • Contact Sales
    • General Inquiry
    • Get a Quote
    • Worldwide Sales & Support
    • Talk to Specialist
    • Security Solutions
    • Monitoring Solutions
    • Operational Efficiency
  • Try Now
    • Monitoring & Management
    • N-central
    • RMM
    • Backup
    • Security
    • EDR
    • Mail Assure
    • Passportal
    • Tools & Services
    • MSP Manager
    • Take Control
  • Request a Quote
  • Try Now
    • SolarWinds RMM
    • SolarWinds N-central
    • SolarWinds Backup
    • MSP Manager
    • SolarWinds Mail Assure
    • SolarWinds Passportal
    • SolarWinds Risk Intelligence
    • SolarWinds Take Control
Request quote
Filter Blogs
  • Filter by:
  • MSP Business
    • Automation
    • Backup & Disaster Recovery
    • Security-series
    • Best Practices
    • Business
    • Business Growth
    • Business Risk
    • Cloud Computing
    • Customer Service
    • Cybersecurity
    • Cybersecurity Awareness Month
    • Data
    • GDPR
    • Internet of Things
    • IT Support
    • ITSM
    • LOGICcards
    • Machine Learning
    • Mail
    • Managed Services
    • Marketing
    • Mobile
    • Networking
    • Operations
    • Podcast
    • Product
    • PSA
    • Remote Management
    • Research & Trends
    • Risk Intelligence
    • Security
    • Security Vlog
    • Service Desk
    • Services & Support
    • The Head Nerds
    • Tips & Advice
    • Training
Home Blog MSP Business Mail How to Stay Safe from Office Macro-Based Malware with Email Security  
Mail

How to Stay Safe from Office Macro-Based Malware with Email Security  

By Mia Thompson
10 February, 2020

Microsoft Office macros have been spreading malware since the late '90s, ranging from Melissa to well-known ransomware applications such as Locky or the Dridex banking malware. However, as users learned how to combat these threats, this type of attack fell out of favor with hackers. 

Unfortunately, with the threat landscape ever evolving, cybercriminals becoming more sophisticated, and macro programs becoming popular among businesses, we have seen a resurgence of this type of attack over the past few years. In 2016, Microsoft reported an increase in macro-based malware, accounting for almost 98% of all Office-targeted threats. Last year Microsoft warned that Windows macro-based malware was being spread via Excel in email. 

What are macro viruses? 

CTA Image

SolarWinds Mail Assure

Advanced Threat Protection for Inbound and Outbound Email.

Try It Free Learn More

Macros are basically small scripts written in the Visual Basic for Applications (VBA) programming language. They allow repetitive actions within Office documents, and every user can record their actions, generate a macro, and run it every time they need to complete that sequence and save time. In short, macros are small programs that run within bigger programs to automate time-consuming tasks on a user’s behalf to boost productivity. Unfortunately they also allow bad actors to embed dangerous payloads, such as ransomware, rootkits, spyware, and so on.

Cybercriminals use macros to infect any computer that opens and runs the malicious macro. For example, malicious macros can leverage the VBA SHELL command to execute arbitrary code and the VBA KILL command to delete files from the HDD. VBA works within majority of Microsoft Office programs, including Excel, Outlook, PowerPoint, Access, Word, Project, cloud-based Office 365, and more. The problem comes when malicious macros also use "AutoExec" to automatically start with an office application or "AutoOpen" to autorun the macro when the document is open.

How does this happen?

While recent versions of Microsoft Office have macros disabled by default, cybercriminals are using social engineering to convince users to turn on macros to allow their malware to run. Typically, macro malware is transmitted through phishing emails containing malicious attachments. 

Take Locky as an example. This was spread via email attachments containing Word documents that would have some scrambled text and a big headline saying you should enable macros to view the text properly. By doing this, cybercriminals were attempting to social engineer you into enabling macros because the data appeared incorrectly encoded. Even when macros were enabled, the text would remain the same, but in the background a small piece of code would save a file on your hard drive and execute it. The file saved is "Troj/Ransom-CGX", a downloader that delivers the final payload, which in this case is Locky. The ransomware payload is not embedded in the document, but it is later downloaded.

The downloader connects to the internet and the final payload hits your computer, and Locky starts to scramble all your files that match a list of extensions, such as videos, images, documents or source code. If you are the lucky owner of a Bitcoin wallet, it encrypts that one too. 

Another action that Locky takes after infecting your computer is to remove your Volume Snapshot Service (VSS) files, a type of live backup file on Windows, and replace your wallpaper with its ransom notice.

From here on you either pay up or wait for someone to release a decryption tool, as we saw in the case with CTB-Locker, Locky or TeslaCrypt. 

How to help protect against macro malware

The question you need to be asking is not what do you do after your computer is infected with ransomware, but how can you stop it before it reaches your inbox in that attachment? 

The answer is simple—be proactive! You filter the email and its attachments, leaving no room for the malware downloader and blocking it before it reaches your email server and/or mailbox.

Finally, always ensure macros are disabled on Microsoft Office applications, and don’t open suspicious emails or attachments. 

How does SolarWinds Mail Assure help protect your email?

Normally we would reject the spam/phishing email even before we scan it, because in the majority of cases we classify it as spam/phishing before classifying it as malware. We do this by filtering email using a variety of filtering technologies. 

We also offer you the ability to take this one step further, giving you control to block attachments containing macros by default. Once this feature is enabled, emails received with document-based attachments (.doc, .xls, .ppt etc.) containing macros are rejected and quarantined by default. 

The SolarWinds® Mail Assure cloud-based email security helps your customers stay in control and protect their inbound and outbound email from email-borne threats.

Start a free trial today to experience SolarWinds Mail Assure

 

Mia Thompson is product marketing manager, Mail Assure, at SolarWinds MSP.

 

Additional reading

The Email Security Education Series: Dangerous Email Attachments 
7 Steps to Help Limit Your Chances of Getting Hit By a Ransomware Attack
Our Top 10 Email Malware of All Time
You might also like...
Mail

How Email Archiving Can Help Move You Toward SOX Compliance

Mail

How a Secure Email Gateway (SEG) Can Protect Your Business

Mail

How to Effectively Use an Email Spam Filter Service

Mail

6 Cybersecurity Tips for Business Email

Mail

Partnering for Growth: Strong Defenses, Solid MSP Partnerships

Mail

What Is DMARC Email Security and How Do You Implement It?

Want to stay up to date?

Get the latest MSP tips, tricks, and ideas sent to your inbox each week.

Loading form....

If the form does not load in a few seconds, it is probably because your browser is using Tracking Protection. This is either an Ad Blocker plug-in or your browser is in private mode. Please allow tracking on this page to request a subscription.

Note: Firefox users may see a shield icon to the left of the URL in the address bar. Click on this to disable tracking protection for this session/site

Recent Posts
  • Three things I learned working for an MSP
  • Earning word-of-mouth referrals for your IT business
  • Backup automation part 1: Deploying backup devices
  • Ultimate Guide: MySQL Backup
  • Most common automation requests and how to solve them: Ep 2
Categories:
  • Security (240)
  • Tips & Advice (130)
  • Best Practices (97)
  • Backup & Disaster Recovery (96)
  • Managed Services (89)
  • The Head Nerds (82)
  • Business Growth (79)
  • IT Support (43)
  • Business (41)
  • Automation (40)
  • Operations (38)
  • Cybersecurity (37)
  • Mail (33)
  • Remote Management (30)
  • ITSM (26)
  • Networking (22)
  • Cloud Computing (21)
  • Data (21)
  • Marketing (15)
  • PSA (13)
  • Product (11)
  • Service Desk (6)
  • Services & Support (5)
  • Mobile (4)
  • Risk Intelligence (4)
  • GDPR (3)
  • Internet of Things (3)
  • Customer Service (3)
  • Research & Trends (2)
  • Training (2)
  • Business Risk (1)
  • LOGICcards (1)
  • Cybersecurity Awareness Month (1)
Show moreless
SolarWinds MSP

Products
  • SolarWinds RMM
  • SolarWinds N-central
  • SolarWinds Backup
  • SolarWinds EDR
  • SolarWinds MSP Manager
  • SolarWinds Mail Assure
  • SolarWinds Risk Intelligence
  • SolarWinds Take Control
  • SolarWinds Passportal
  • All Products Use Cases
Solutions
  • Security Solutions
  • Monitoring Solutions
  • Efficiency Solutions
  • Identify which RMM solution is right for me
  • Drive Efficiency with Automation
  • Manage my MSP Business More Efficiently
  • Manage my IT Department More Efficiently
  • Layered Security
  • Cross-Platform Support
  • Data-Driven Insights
About
  • About Us
  • Careers
  • Newsroom
  • Leadership Team
  • Upcoming Events
  • Subscription Preferences
  • SolarWinds
  • SolarWinds Trust Center
  • COVID-19 Response
Support
  • SolarWinds RMM
  • Solarwinds N-central
  • SolarWinds Backup
  • SolarWinds Mail Assure
  • SolarWinds Take Control
  • SolarWinds MSP Manager
  • Solarwinds Risk Intelligence
  • Solarwinds Threat Monitor
  • SolarWinds Passportal
  • SolarWinds Take Control Downloads
  • Backup & Recovery Downloads
  • Service Status

Footer 2

  • Legal Documents
  • Privacy
  • California Privacy Rights
  • Security Information
  • Sitemap

© SolarWinds MSP Canada ULC and SolarWinds MSP UK Ltd.
All Rights Reserved.