In the 90s, Microsoft added a feature to their Office suite called “macros” that allowed users to automate repetitive tasks in order to streamline workflow. At the time, cybersecurity wasn’t a major attack vector, so no one put much thought toward how the feature could be exploited by criminal hackers in the future.

Fast forward to 1999: The Melissa virus spreads like wildfire through an attachment sent with an enticing email from someone you more than likely knew. When the Word document was opened, a macro was triggered that automatically forwarded the same email and attachment to the first 50 people in your address book through Outlook. Although this seems relatively harmless, it shows how easily malicious code could be distributed without users’ knowledge; most macro malware is not so harmless.



As a response, Microsoft added a level of security to the macros feature in their Office suite, and made it so that all uncertified macros were disabled by default. Users had to manually enable macros in order for unknown macros to run, and this caused the amount of macro malware to decrease dramatically.

Macro Malware Rises Again

Yet within the last year, Microsoft reported that malware spread through macros found in email attachments was once again on the rise. Their belief is that because users have now grown accustomed to clicking “Enable Content” (or similar) in any Office product, they have a sort of false confidence in their ability to weigh a perceived risk against any potential gain. More often than not, satisfying their own curiosity is enough of a “gain” to outweigh unknown risks. Many people enable macros inside malicious files only to discover that the macro is coded to download Trojan viruses to their computers.

Today, 98% of threats that target Microsoft Office come from the use of malicious macros. In order to mitigate this growing enterprise-level threat, Microsoft launched a new feature for Office 2016 last week that adds even more layers of security to this feature. Admins can now set complex rules to block macros downloaded from outside sources, as well as prevent users from enabling them at all.

Image: Microsoft

Image: Microsoft


What About the Rest of Us?

This new layer of security is only for enterprise-level situations where all machines are running Office 2016. The rest of the world still has to mitigate threats using older versions where it’s ultimately up to the individual user to make good security aware decisions.

Each employee with access to company data and networks represents the frontline of that company’s defenses. Increasing user awareness is the only way to guard against attacks of any kind, particularly with complex attacks like macro malware that rely entirely on weak links making mistakes.

Tips for Defending Against Macro Malware

Always think before clicking anything in emails, whether it’s outside links or peculiar attachments! If you receive an unexpected attachment via email that you feel could be legitimate but requests you to enable macros, open the document without enabling macros first to verify that it is what you expected.

If the document is not something you were expecting, never download it! In a work environment, report the incident to the right person immediately and then delete the email. Do not open any attachments, and do not click any links within the email.

Only run macros that you have created yourself, or that have come from sources you know and trust. Otherwise, don’t disable the built-in macro security features by clicking the “Enable Content” button (no matter what version of Office you are running). Remember that macros — like any other computer program — can be used responsibly or illegally.



Common Signs of Macro Malware

One of the issues with detecting the latest round of macro malware distribution is that there are thousands of unique, dynamically-created variations that can slip by scanners looking for traditional copy-paste spam. However, there are some commonalities.

All such emails use social engineering to trick the user into downloading and opening a document, then enabling macros which trigger a malicious download (most often a Trojan virus).

The top 5 email subjects for the main macro malware families are:

  1. FYI: Aborted transaction (H493525)
  2. Important Notification 2KMIS
  3. Subject : invoice for Cheryl
  4. are you serious?
  5. Fw: Code 71NOO2

Almost 15% of attachment file names for the main macro malware family (Bartallex) are simply statement.doc. Less than 1% are named things like Retiro-Compra.doc, invoice_0604.doc, documenti.doc, and court_subpoena.doc.


The most important thing is to exercise vigilance. Maintain a healthy degree of skepticism when receiving any email, especially those that are unexpected or from an unknown sender. (When in doubt, you could even try googling it!)

You can also visit Mailguard for several real screenshots of a popular scam email and of the actual macro code:

Kayley Melton

Director of Digital Strategy at SAC
Kayley manages our growing footprint on the web and develops marketing strategies to both keep us current & help us reach more people who might benefit from our message. A professionally trained artist and verifiable “weird girl,” she has 5 pet-children, cooks unbelievably good food, and can out-lift you at the gym.