KnowBe4's Field Guide to Macro Warning Screens

Earlier this week today we assisted several companies that were hit by ransomware. Although companies and organizations hit by ransomware can usually pinpoint the source or employee responsible for a ransomware infestation, they often cannot identify the precise attack vector used to compromise the victim's PC. In the two cases we just handled, however, the attack vector used by the bad guys was identified: macro-laden Word documents delivered through phishing emails.

Malicious Macros

Malicious Word documents are depressingly common and are one of the more frequently used vehicles for delivering ransomware to the desktops of unwitting victims. Massive phishing campaigns pushing Locky, Cerber, and Zepto through macro-laden Word docs have become persistent, enduring features of the threat landscape.

Despite that fact, we continue to see these malicious Word documents sailing past anti-virus programs on a daily basis. Even more maddening, though, are the regular reminders that users often enough take the bait and click all the way through these ransomware traps. And there's just no excuse for this to be happening, given the number of hurdles that users must surmount before finally unleashing the ransomware on their companies' PCs and networks.

After opening the malicious emails and attached Word documents, users are warned by Word itself in a yellow bar under the main menu bar that the document contains macros (plain text scripts or programs) that have been disabled by default to protect users against the risk of malicious macros.

Malicious Macros Warning

Users can enable those macros by clicking the "Enable Content" button on the yellow bar.

Macro Warning Screens

While some malicious Word docs rely entirely on users themselves to eventually click yellow warning bar (and, thus, enable the malicious embedded macros), most macro-laden Word docs that we see anymore leave little to chance, prodding users to click the yellow bar with cleverly designed screens that step users through the process. If users fail to enable the macros, the attack is thwarted.

Since the start of this year we have collected screenshots of more than three dozen different macro warning screens used by the bad guys. These screens, which are effectively used to socially engineer users into compromising their own security, are now strikingly sophisticated and very professional looking. To the unschooled and unsavvy user, such screens might very well be mistaken for native features or components of Microsoft Office.

A Rogues Gallery

In the interests of teaching users what to look for, we have assembled a small gallery of the most common macro warning screens we've seen used by the bad guys over the past few months. We encourage you to share this gallery with your employees and users so that they can become more familiar with this common form of social engineering and, most importantly, recognize it when they see it.

Ransomware Enable Macros Warning

Word Document Ransomware Macros Message

Fake Delivery Notice To Enable Macros

Microsoft Word Enable Macros Ransomware

Fake Invoice Enable Macros Warning

There are, of course, a wide variety of macro warning screens in use by various malicious groups engaged in phishing campaigns. The five depicted above, though, are the most common ones that we see on a daily basis. And most of the others that we see in use are variants in one way or another on these core five screens.

Ransomware Hostage Rescue Manual

Get the most complete (updated spring 2016) Ransomware Manual packed with actionable info that you need to have to prevent infections, and what to do when you are hit with ransomware.

Get Your Manual

Don't like to click on redirected buttons? Cut & Paste this link in your browser:


Topics: Ransomware

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews