Combating Macro-Based Threats: a Multi-Layered Approach


Colorful bar charts of various size

Macros have long been a favored attack vector for cybercriminals looking to infect devices. In a 2022 study of 35 million pieces of malware on the dark web, 87% used macros to infect devices. Microsoft recognized this risk, and in February, it changed the default behavior of Office to block macros on files originating from the internet in the hope that it would also eradicate the problem.

While it did have an impact on reducing macros as a core vector for infection, it did not eliminate the threat. Macros were only the most popular vector, so it simply forced attackers to change their tactics to avoid macros or circumvent the block. 

Attacks Evolve 

Cybercriminals are highly-resilient, looking for ways to circumvent attacks when presented with a challenge. Just because a single attack vector is more challenging to utilize does not mean that organizations are now entirely protected from threats that might use it. Instead, it will block older threats that follow a known playbook from being utilized, and attackers will innovate around the restrictions until they are no longer a concern. 

Eliminating Macros is Not Possible for Many Organizations

For many organizations, such as Financial Services companies, there is no ability to eliminate macros entirely. Macros handle necessary automation and calculation functions in Office documents integral to operations. These macros provide functionality in documents and spreadsheets that would require expensive or custom software to replace them. By eliminating macros, numerous businesses would find themselves scrambling to replace necessary functionality. 

Stopping the Threat

Rather than focusing on eliminating a path of a file-borne attack, organizations must find ways to stop the deliverable – the malicious content – from making its way into their organization. The only effective way to do this is by eliminating it as it passes through perimeters. This, of course, is easier said than done.

With the constant evolution of cyber criminals developing new strains of malware to circumvent existing controls, no single step to eliminate all malicious code hidden in files. 

Combined Prevention

Organizations focus on a combination of controls to eliminate malicious code. This process usually starts with detection-based controls found in Antivirus (AV) products. These tools quickly and efficiently detect known threats in files, destroying them before they can be launched and infect an endpoint. 

Unfortunately, attackers continue to evolve, creating new strains of malicious content daily, on the order of 560k new pieces. AV solutions can only detect new strains and update their signatures so quickly, creating a gap in protection against these zero-day threats. This is where Content Disarm and Reconstruction (CDR) comes into play. 

CDR does not utilize detection to eliminate malicious content. Instead, it adopts a Zero Trust approach, deconstructing all files that pass through it and rebuilding them from only the known safe components. This rebuilding process eliminates potential threats, while the essential elements of the file are left behind. In the most advanced CDR solutions, files retain the entirety of their formatting, functionality, and even safe macro functionality. Some users of CDR decide to skip AV entirely, as CDR removes malicious content and passes files through, as opposed to quarantining and blocking them.

However, organizations are often left with a visibility gap using CDR to rebuild everything from known-safe components, because CDR’s lack of typical alerts and noise provides little insight into prevented attacks for reporting purposes. This is where retrospective analysis overcomes this gap. As CDR rebuilds files, the original data is quarantined for later analysis against known malware signature databases. As signature files get updated in these databases, previously undetectable threats get identified, creating a record of the effectiveness of the CDR and tracking threats. 

Finding a Complete Defense for File-Borne Threats

Votiro is more than just a CDR solution. It is a complete defense against malicious code embedded in files. Votiro uses a combined defense strategy of detecting, protecting, and analyzing to create a shield against malicious hidden threats by integrating optional AV, CDR, and retrospective analysis into one defense platform. 

Votiro’s protection is built on an API-centric solution that seamlessly integrates into existing business workflows, enabling organizations to enjoy immediate protection against hidden malware threats.

Contact us today to learn how Votiro sets the bar to prevent hidden threats in files so that your employees and systems remain secure while maintaining productivity. And if you’re ready to try Votiro for yourself, start today with a free 30-day trial.

background image

News you can use

Stay up-to-date on the latest industry news and get all the insights you need to navigate the cybersecurity world like a pro. It's as easy as using that form to the right. No catch. Just click, fill, subscribe, and sit back as the information comes to you.

Subscribe to our newsletter for real-time insights about the cybersecurity industry.