Microsoft Excel attacks fall out of fashion with hackers

Cybercriminals are turning away from Microsoft Excel as a method for sneaking malware onto the PCs of potential victims.

Security vendor Hornetsecurity said its researchers logged a significant drop over July in the volume of malware-laden emails that relied on malicious Excel documents. The company's monthly email threat report noted that from June to the end of July, Excel attacks plummeted by nearly 10 percentage points.

This, the Hornetsecurity team believes, was largely due to a key decision by Microsoft to disable macro code execution that has long been abused by malware operators to hijack machines when a document file is opened.

"The drop in Excel documents used in attacks from 14.4 % to 5.1 % can be attributed to attackers shifting tactics due to Microsoft's measures to disable Excel 4.0 macros per default," Hornetsecurity said in its report.

"The prominent malware distributed via malicious Excel 4.0 macros was QakBot and Emotet," the report read. "QakBot switched to a complex infection chain using HTML smuggling and DLL side-loading, which we highlight later in this report."

With Excel macros turned off by default, the researchers found that many of the larger malware groups had to find other ways of infecting machines using more complicated methods. The above-mentioned Qakbot was one extreme example.

The Hornetsecurity team found that Qakbot hackers opted to construct a scheme where an attached HTML document presents as an Adobe PDF document and prompts the victim to download a zip file under the guise of reader software. That payload then automatically launches and installs the DLL files used for the sideloading attack and final installation of the Qakbot malware itself.

While it is not unusual for malware operators to change up their techniques and tactics for phishing attacks, researchers noted that Qakbot's pivot was particularly drastic as a response to Microsoft's new security policy.

"The code smuggling approach is effective in evading detection and allows Qakbot to infect a large number of victims. However, this approach requires Qakbot to continue to update its evasion techniques to stay ahead of detection," Hornetsecurity CEO Daniel Hofmann told TechTarget Editorial. "We may see slight alterations to the delivery method, e.g., code may be smuggled using other file types than HTML."

Though the new security measures had a short-term effect on the volumes of Excel attacks, Hofmann said the spreadsheet application will likely remain a popular method for spreading malware via phishing and social engineering attacks for the foreseeable future.

"While the number of Excel documents attached to a phishing email decreased, Hornetsecurity still observes that the danger of Excel documents is relevant," Hofmann said. "The attackers change their strategy on how they deliver malicious Excel documents."