Macros could be the key to a cyber attack

For you

Be part of something bigger, join the Chartered Institute for IT.

Universities and schools are particularly vulnerable to this vector of attack, as they often run outdated software and don’t have the resources to train huge numbers of students and staff. Sometimes the macros sent will hijack the mailbox of the victim, thereby providing automated means for an attacker to distribute toxic emails institution-wide. Without a dedicated Information Security officer (which many education institutions either can’t or won’t pay for), they may be woefully unprepared for such an attack and the impact can cause tremendous damage.

This doesn’t mean that larger companies that employ CISOs are immune either. Any organisation with a few overly-trusting employees can be compromised. The power of a single click. In larger environments it is possible for sophisticated malware such as Emotet or Nerbian to remain unnoticed for a long time, and chances are that the employee who unwittingly ran the malicious macros may take some time to realise their machine has been compromised.

So, what can you do?

This issue has been plaguing organisations of all shapes and sizes for decades and still seems to be going strong. Luckily, there is good news on the horizon and various strategies you can implement to mitigate this attack vector.

Disable macros

Seems pretty obvious – why do we even need these things anyway? Well, if everyone in your company thinks that, disabling them domain-wide is probably a good idea. Sometimes they do serve a useful purpose however, so a discussion may be warranted with employees to inform them of appropriate use cases. Microsoft is making this the default behaviour of Office at the moment, which should allow many information security practitioners to sleep better at night.

Monitor your endpoints for compromise

Ensure you monitor all endpoints for malware and viruses, and for a larger estate you might consider tools that provide greater visibility in the event that machines are compromised. Such tools can even have the functionality to block email or network access to prevent the spread of these threats.

Don’t use email (if possible)

If your company uses tools such as Slack, Teams or Mattermost for communication, it might be a good idea to step that up. Try to reduce your dependence on email and this will make malicious messages much easier to spot. These tools can also receive dodgy documents and phishing messages, but if you restrict external communication to specific channels you reduce your exposure to such attacks.

Education, education, education

The most important piece of advice here which you can implement starting tomorrow is better training. Train employees to spot phishing emails and dodgy docs and they will be your eyes and ears for these attacks. Tell them to take this advice home with them – have they received suspicious personal email or text messages – how can they tell? Teach them the power of a single click. One click has the power to compromise several machines. One click has the power to cause major disruption to your organisation. One click may even close you down.