alphaspirit - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

Why have macro malware authors moved toward using OLE technology?

Threat actors are moving from macro malware to using OLE technology to spread their malicious code. Expert Michael Cobb explains what enterprises should look out for.

Microsoft recently warned about how malware authors have shifted gears from using Office macros to object linking...

and embedding (OLE) technology to spread malicious code. How does malware leveraging OLE technology work? And what steps should security teams take to prevent malicious embedded objects from spreading in their organizations?

A macro, short for macro instruction, is a saved sequence of commands or keyboard strokes that can be executed with a single command or keyboard shortcut. They're incredibly useful for automating certain frequent, repetitive or complex tasks. Some applications, such as Microsoft Office, allow macros to be embedded in documents and run automatically when the document is opened.

In the mid-1990s, macro viruses began exploiting these capabilities, and they remain the main reason why it's dangerous to open unexpected attachments in emails and other types of messages, as the macro malware can hide inside legitimate looking documents.

Despite periodic lulls, macro malware is still quite prevalent, and according to the Microsoft Malware Protection Center, it's on the rise. Recent data from its Office 365 Advanced Threat Protection service indicates 98% of Office-targeted threats use macros. Although many antivirus programs can detect macro malware, their creators are getting not only more astute at disguising them, but at tricking people into executing them with cleverly crafted social engineering tactics. Hackers are also shifting from macro malware to using OLE objects to enable and download malicious content, circumventing security controls that control how and when macros can execute.

OLE technology allows a user to create a compound document that can contain visual and information objects of different kinds, such as text, calendars, animations, sound, video and form controls. Like macros, this legitimate technology can be used to create rich content documents or documents that contain malicious code. By cleverly placing an OLE-embedded object within the main content of the document beside text that calls the user to action, hackers are managing, once again, to trick people into clicking on embedded links, despite years of being told that it's dangerous to do so.

For example, one technique is to suggest that the document is confidential and, therefore, encrypted until the user clicks the OLE object, a button for instance, to decrypt it. Others have a similar interface to a CAPTCHA or other human-verification tools which enable and download malicious content when the user inputs an answer. These attacks use Visual Basic and JavaScript scripts, often encrypted to avoid detection by antivirus and other malware monitoring controls.

Administrators can prevent activation of OLE packages by modifying the registry key -- HKCU\Software\Microsoft\Office\<Office Version>\<Office application>\Security\PackagerPrompt. Setting the value to 2 will disable packages, and they won't be activated even if a user tries to interact with or double-click them. Perimeter security controls should also be set to block or quarantine Office files received from outside if they contain macros or OLE objects.

A new feature in Office 2016 blocks macros from loading in certain high-risk scenarios and shows users different and stricter notifications to make it easier for them to distinguish a high-risk situation from a normal workflow. This feature can be controlled via Group Policy and configured per application. It enables enterprise administrators to block macros from running in Word, Excel and PowerPoint documents that come from the internet.

As user interaction and consent is still required to open OLE-embedded objects, user security awareness training is an important part of macro malware mitigation, too. Users should be taught to never enable, double-click or activate embedded content in any file without first verifying its source.

Ask the Expert: Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Learn how to fight back against the new generation of macro malware

Find out how Microsoft Office Trust Center can help to stop malware

Read about segmenting and segregating data to protect it

This was last published in October 2016

Dig Deeper on Malware, virus, Trojan and spyware protection and removal