Understanding Visual Basic for Applications (VBA) Macro Attacks

Aaron Goldstein
March 28, 2024

When considering cybersecurity threats, it’s just as important to think about how an attacker breaches a network as it is to evaluate what information they might be targeting. One method for initial access that is particularly devious is the use of Visual Basic for Applications (VBA) macros in Microsoft Office products. VBA is the language Microsoft uses to enhance its software through customizable automation and scripting. Given Microsoft’s dominance in the operating system space, it’s no surprise that attackers target VBA to exploit today’s organization.

How VBA attacks work

In a VBA-driven attack, adversaries weaponize a Microsoft Office document, such as a Word doc, Excel sheet, or PowerPoint presentation. In general, the attack begins through a successful phishing attack. The adversary will insert the weaponized document as part of their message, using clever social engineering tactics to illicit the target to open or download it.

Within the document itself, the attacker will create macros in the VBA scripting language that carry out malicious tasks upon activation. Interestingly, Microsoft is aware of these types of attacks and has disabled macros in documents by default. That said, attackers still find ways to trick users into enabling macros.

How macros are used

The biggest problem with VBA macro attacks is their widespread, customized nature. Because anyone can code macros through VBA, toolkits are available for purchase that commoditize VBA macro usage at scale. Alternatively, particularly savvy attackers can finetune their macros to carry out multiple different tasks and payloads while convincing the user that everything is normal.

One particularly nasty command that attackers embed in macro documents forcibly turns off the preventions within Microsoft Office that block macros. That way, they only need to trick the user to turn off macros once, and then can continually repeat macro-based attacks. Another way attackers avoid detection with macros is by downloading directly to the Office templates folder, which avoids macro preventions altogether.

After bypassing macro-prevention security controls, attackers can use additional macros to surreptitiously download executables and other payloads that grant them access permissions on the target’s system. Certain tools even allow them to remotely access the system and its command line which they can use to perform privilege escalation to gain a stronger foothold on the system or network.

Preventing VBA macro attacks with Todyl

Clearly, VBA macro attacks present a frightening threat to today’s organizations. With Todyl, you can actively prevent these attacks from happening in the first place.

Todyl’s Endpoint Security solution combines endpoint detection and response (EDR) with next-gen antivirus (NGAV) to detect and stop system-based threats like VBA macros in real time. Todyl automatically identifies malicious macro activity through our extensive managed detections, which generate alerts based on the attacks being carried out. The agent can even be used to automatically deny executables from running and stop malicious processes in progress.

Then, when you incorporate our Managed eXtended Detection and Response (MXDR) offering, you have a full-time security operations center (SOC) which actively monitors and responds to threats including VBA macro attacks. The MXDR team works on your behalf to investigate the attack, identify root causes, prevent any malicious activities, and help you report on the findings.

Learn More

Watch the video below to see how these macros work in action, and how Todyl and the MXDR team work with and for you to prevent attacks like VBA macro exploits and other new and emerging threats.

Get started with MXDR today! Reach out to us to set up a demo.

Stay up to date

Subscribe to receive the latest insights, news, and updates from Todyl.

Additional reading

Why I Joined Todyl: Spotlight on David Dewey
How Todyl addresses the "Pandemic 11"
Understanding AMSI bypass techniques

Todyl updates

Sign-up to get the latest from Todyl sent straight to your inbox.