Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?



Malicious Macro-Enabled Docs Delivered via Container Files to Bypass Microsoft Protections

Threat actors are embedding macro-enabled Office documents in container files such as archives and disk images to circumvent a recently rolled-out macro-blocking feature in Microsoft Office.

Threat actors are embedding macro-enabled Office documents in container files such as archives and disk images to circumvent a recently rolled-out macro-blocking feature in Microsoft Office.

Initially announced in February, the macro-blocking feature is meant to prevent phishing attacks by making it more difficult for users to enable macros in documents received from the internet.

Small snippets of code embedded in Office documents, macros have long been abused by threat actors in phishing attacks and for malware delivery.

In 2016, Microsoft disabled the automated execution of macros in Office documents received from the Internet, but has allowed users to enable them with a single click.

Adversaries have been using various social engineering techniques to trick users into enabling the macros, and Microsoft in February announced a new mechanism to block macros by default in documents received from the internet.

A red notification at the top of the page warns users that macros have been blocked and, if clicked on, takes them to a web article explaining the risks associated with malicious macros.

Currently rolling out to Access, Excel, PowerPoint, Visio, and Word on Windows, the feature essentially stamps these documents with a “Mark Of The Web” (MOTW) that can be removed if the user saves the document to the local disk.

To circumvent the mechanism and ensure the immediate execution of the embedded macros, threat actors are now delivering Office documents inside container file formats such as IMG (.img), ISO (.iso), RAR (.rar), and ZIP (.zip), Proofpoint warns.

“When downloaded, the ISO, RAR, etc. files will have the MOTW attribute because they were downloaded from the internet, but the document inside, such as a macro-enabled spreadsheet, will not,” Proofpoint explains.

While the user would still have to enable macros in the extracted document, the system will no longer see the document as coming from the internet, and will not apply the highest level of protection.

Container files have also been used to distribute payloads directly, including shortcut files (.lnk), DLLs, and executables (.exe) that allow for the direct installation of malware.

Between October 2021 and June 2022, Proofpoint has observed a sharp decrease in macro-enabled documents delivered as email attachments, but noticed a massive increase in the use of ISO, RAR, and LNK files during the same timeframe. The use of LNK files went up 1,675% since October 2021.

“Threat actors across the threat landscape are pivoting away from macro-enabled documents to increasingly use different file types for initial access. This change is led by the adoption of ISO and other container file formats, as well as LNK files. Such file types can bypass Microsoft’s macro blocking protections, as well as facilitate the distribution of executables that can lead to follow-on malware, data reconnaissance and theft, and ransomware,” Proofpoint concludes.

Related: Microsoft Office for Mac Users Exposed to Macro-Based Attacks

Related: Microsoft Resumes Rollout of Macro Blocking Feature

Related: Microsoft Restricts Excel 4.0 Macros by Default

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...