Tempest´s consultant team recently found a flaw in Microsoft’s Advanced Threat Protection (ATP), a cross-platform cloud service for filtering e-mail messages looking for threats such as spam, malware and phishing via links or attachments. The vulnerability allows an attacker to circumvent the protection and deliver Office files with malicious macros.

Attacks based on malicious macros have been around for a long time, because the abuse of this mechanism, usually associated with exploiting other vulnerabilities in software and using social engineering tactics, often represents an easy and quick way to take control of the target.

Techniques like this are used both in simple attacks and in complex campaigns led by threat agents with a long list of malicious actions. For example, in recent months, macro-based attacks have been reported in campaigns with Emotet banking trojan, Iranian APT espionage MuddyWater, large financial asset thefts conducted by the FIN7 group, as well as in attacks with strong political orientation conducted by the APT-28. This is a very common form of security breach, and actions to combat it greatly depend on the user, and also on solutions that anticipate attacks.

One of the platforms aimed at reducing the risk of such attacks is Microsoft’s Advanced Threat Protection. According to the manufacturer’s documentation, this is a cloud solution that scans links and attachments and compares them with 6.5 trillion signals per day, collected from several other manufacturer’s products and services, resulting in a malware detection rate of 99.9%.

APTs, or Advanced Persistent Threats, are designed to take advantage of human flaws and systems’s flaws to keep in the target environment for a long time and extract information of interest to the attacker. It is part of the consultant team activities to simulate these attacks, identifying forms of protection. In such works, malicious artifacts are generated with different formations or structures and sent in various ways. Recently, the team discovered a way to send macro-based malware by circumventing Advanced Threat Protection.

To do this, a self-extract file of a malicious DOC file was generated using WinRAR; however, there are other ways to do this. The result of the self-extract is an executable file (.exe) that is commonly blocked by antivirus tools, including ATP. However, when renamed to ZIP, this executable circumvents Microsoft’s solution, allowing the threat to reach the user, who can activate the macro.

Demonstração do ataque — Video by Tempest

Microsoft was informed of the problem on 16 April 2019. Negotiations took place between the consultant team and the manufacturer on 17th and 19th of the same month; on the 25th, the company confirmed that the exploitation may occur, and allowed the disclosure of the problem, but claimed that it will not make corrections to the vulnerability.

It is recommended that organizations adopt additional means of protection such as training and awareness of users in relation to such attacks, going beyond security tools.