Macro Scanner To Block Malware Now Available with Office 365 ProPlus
Last week Microsoft announced that it has turned on Antimalware Scan Interface (AMSI) technology to protect against malicious macros for Office 365 ProPlus subscribers. Although it has been around since 2015, AMSI is now newly integrated with Office 365 ProPlus.
Microsoft turned AMSI on by default "on the Monthly Channel for Office 365 client applications including Word, Excel, PowerPoint, Access, Visio and Publisher," Microsoft indicated in its Sept. 12 announcement.
With AMSI turned on, IT pros can get greater control over what macros do at runtime. It's also possible to detect malicious software even in obfuscated code, Microsoft's announcement suggested.
A new Group Policy security setting called "Macro Runtime Scan Scope" is now available with AMSI. This policy lets IT pros disable scanning for all documents, enable scanning for low-trust documents or enable scanning for all documents.
For Office 365 tenancies, AMSI will scan macros at runtime to detect malicious code. However, it won't scan macros under the following conditions:
- Documents opened while macro security settings are set to "Enable All Macros"
- Documents opened from trusted locations
- Documents that are trusted documents
- Documents that contain VBA [Visual Basic for Applications] that is digitally signed by a trusted publisher
AMSI doesn't appear to be a security solution in itself. Instead, Microsoft describes AMSI as a "generic interface standard that allows applications and services to integrate with any antimalware product present on a machine." Apparently, AMSI just enables existing antimalware solutions to check the macros. It can use either Microsoft's antimalware solutions or "third-party" antimalware solutions.
Microsoft pointed to its Windows Defender Advanced Threat Protection service as one endpoint solution that could be used with AMSI.
AMSI does appear to more than just a generic interface, though, because it logs information. It'll log "suspicious URLs" and "suspicious file names," for instance. It'll stop the execution of a macro if it sees the behavior of the macro as being malicious. At that point, the end user will get notified, and it'll also shut down the application.
The use of Microsoft Office macros may be one of the leading delivery approaches for malware authors, according to recent analysis by Cofense, a provider of e-mail security. Malicious macros in Office documents accounted for "45% of all delivery mechanisms analyzed," Cofense noted in a Sept. 13 blog post. In addition, the macro delivery method was representative of the "most malignant" kinds of malware, including "Geodo, Chanitor, AZORult, and GandCrab."
Basically, macros are popular with malware writers because a single click from end users can enable them. Organizations can block all macros, but that approach might not be viable for "most businesses," the Cofense blog indicated. Cofense recommended having "tailored policies" in place to achieve both security and usability.
Like Cofense, endpoint protection solution provider Barkly also noted the resurgence of macros as a means for spreading malware. A Barkly blog post from last year noted that Microsoft had long ago disabled automatic macro execution. Instead, end users now have to execute the macros themselves. However, the macro attack method became popular again for malware authors because it was easier to get end users to click on a familiar looking documents to execute malicious code than it was to get them to download malicious content, the Barkly post argued.
Microsoft, too, noted the resurgence of Office macros as a means for spreading malware. Its announcement suggested that better operating system and application security may have caused attackers to go that route.
"Continuous improvements in platform and application security have led to the decline of software exploits, and attackers have found a viable alternative infection vector in social engineering attacks that abuse functionalities like VBA macros," Microsoft's announcement indicated.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.