Microsoft Security Intelligence on Twitter
In response to reports from Microsoft detailing that a new TA505 phishing campaign is using attachments featuring HTML redirectors for delivering malicious Excel documents, an expert from KnowBe4 offers perspective.
Roger Grimes, Data Drive Defense Evangelist, KnowBe4
“This attack may be new for this particular threat actor, but it’s been used for decades by other groups. Either way, the key root cause exploit isn’t the malicious Microsoft Excel macro, it’s social engineering. Social engineering and phishing are responsible for 70% to 90% of all malicious threats. No other threat vector is as popular, although abusing unpatched software is second with 20% to 40% involvement. The key is not to teach your users not to just recognize malicious Microsoft Excel spreadsheets, but to recognize and report all suspicious phishing attacks. This particular report involves Microsoft Excel, but it could have just as easily been done using Microsoft Word or any other Microsoft Office application…and really any application. Users need to understand that any person asking you to enable content or macros from an unexpected document is a HIGH RISK event. You want to use security awareness training to make a healthy level of skepticism in your environment to any unexpected, unusual request involving Excel or any other application. The key exploit isn’t the Excel macro, it’s the social engineering of trust to get the user to perform high risk actions that can hurt themselves or their organization. So, it’s great to train users about this specific threat as an example in their education, but they need to have broader education about all sorts of risks”
“You would think that most users would stop and not allow an untrusted Excel macro to run, but you would be wrong. The percentage of people who will allow it to run even after having a big, yellow, Microsoft warning message, would probably surprise most people. I’ve been on forensics investigations where the victims ignored or intentionally bypassed five separate warnings from Microsoft applications in order to let the malware run and execute on their computer. It seems incomprehensible that some people will ignore five warnings. But on the other side of the coin, because people get so many warnings and much of the time it’s not malicious, we are unintentionally training them just to quickly click through warnings as though they were bothersome flies. One of the Holy Grails of computer security is how to warn the user ONLY when there is very high risk event going on with a high likelihood of being malicious. Instead, we warn about very possible “high risk” events even when it comes from less risky sources and locations. The computer often can’t tell the difference, and so they just default to warning the user about everything or nearly everything. And that just creates a bad muscle memory of clicking through every warning. Good security awareness training helps users to figure out the telltale signs of true maliciousness versus the many innocuous warnings they will get for doing normal things”