Microsoft tackles macro malware with new Office-antivirus integration

  • Liam Tung (CSO Online)
  • 13 September, 2018 05:13

Microsoft has integrated its Office 365 apps, Word, Excel, PowerPoint, and Outlook, with Antimalware Scan Interface (AMSI), allowing antivirus to more easily scan malicious macros at runtime. 

The integration takes aim at VBA macros embedded in documents, which have reemerged as a favorite tool for infecting targets combined with trickery, usually in the form of convincing a target to enable macros. They’ve become popular because attackers have plenty of free tools to hide macro source code in parts of a document, such as tables and Excel cells. 

The new AMSI integration with Office VBA adds to AMSI interface option already available for antivirus products to protect against script-based attacks on browsers via malicious JavaScript, VBScript, and PowerShell. The interface is available to Microsoft’s own Windows Defender antivirus as well as third-party antivirus. 

According to Microsoft, the Office VBA AMSI integration enables it to log macro behavior even if code is obfuscated, trigger an antivirus scan after spotting suspicious behavior, and to stop a malicious macro attack in its tracks.   

“When a potentially high-risk function or method (a trigger; for example, CreateProcess or ShellExecute) is invoked, Office halts the execution of the macro and requests a scan of the macro behavior logged up to that moment, via the AMSI interface,” Microsoft’s security experts explain. 

From there, the AMSI provider — Windows Defender or a third-party antivirus — is called upon to make a judgement about whether or not the observed behavior is malicious.

Microsoft bases it’s classification of a high-risk function on how prevalent the particular functions are seen in harmful or benign macros. The behavior logs sent via AMSI can include suspicious URLs used to upload malicious data, suspicious file names, and more. 

If malicious behavior is detected, the macro is stopped from executing and the Office app session is shut down in order to stop the attack and protect the user.

A typical scenario Office VBA and AMSI integration could help is when a target receives a Word document, such as bogus invoice, with a suggestion to “Enable content” in order to view the content. Although the document’s macro code may be heavily obfuscated, the integration allows Microsoft to pass a de-obfuscated behavior log via AMSI to the antivirus for scanning. 

Though it’s not likely totally fool proof, Microsoft notes the antivirus will be able to detect a potential threat “much more easily” than if it remained obfuscated. 

Microsoft notes the Office and AMSI integration will help antivirus also uncover and detect macro code that uses file-less code execution.     

And since detections are shared to cloud security platforms like Office 365 ATP, Microsoft can block the emails harboring the malicious documents and prevent them reaching inboxes in the first instance. 

The Office AMSI integration is turned on by default in all Office 365 applications that support VBA macros, including Word, Excel, PowerPoint, and Outlook. The only situations macros aren’t scanned at runtime are if macro settings are configured to “Enable All Macros”, if they’re trusted documents or documents that are opened from trusted locations, and if VBA is digitally signed by a trusted publisher.