A Macro Virus is a virus that adds its code to the macros embedded within documents, spreadsheets, and other data files. The first macro virus appeared in July of 1995 infecting a Word document. This rapidly became the dominant type of virus until the turn of the century, when Microsoft disabled macros by default in Office 2000 and later. Since then, cybercriminals using macro viruses have had to trick users into enabling macros for their infections to take place.
Macro viruses are embedded in Word documents, PowerPoint and Excel files, or even Microsoft database files. They’re often attached to emails, downloaded from fake download websites visited via phishing links or click bait news articles. They are difficult to detect, as they do not activate until an infected macro is run, at which time they perform their damage.
Macro viruses are similar to a Trojan horse since they appear harmless and come with interesting packaging (salaries.xlsm, Calamity_Images.pptm). Notice the “M” in the extension. Microsoft created unique file extensions to signal the presence of a Macro enabled file. This also allows cybersecurity professionals, engineers, and vCISO’s to filter out “M” extension file types from email attachments. Commonly filtered extensions for Microsoft Macro enabled viruses include:
Microsoft Files with Macros
|.docm, .dotm, .xlsm, .xltm, .xlam, .pptm, .potm, .ppam, .ppsm, .sldm|
Unlike Trojans, macro viruses can replicate themselves and infect other computer files like a worm.
What does this mean for an SMB?
- educate employees on the risks of macro-enabled files;
- filter file attachments in your email security system (if possible); and
- always deploy endpoint security solutions that can detect and remove macro and other viruses.