Block Office documents containing macros

Evan M · ‎02-26-2016

Is there any way to block office document types that contain macro's in this? The most recent cryptolocker variant (Locky) contains macro's which makes it more challenging to intercept. Blocking all office document attachments entirely isn't considered to be very business friendly.

Mathew Huynh · ‎02-27-2016

Hello Evan,

I have created a filter with some other customers whom I worked with with a similar situation and we created a filter together to attempt this stop all macro enabled office files by dropping the email if any macro enabled office file is seen. It goes through the use of a Message filter (configured on the CLI).

[Note:] This is a filter I use on my lab environment for testing and deployed, there may be some other filter alternatives or better-written filters but at this stage this one has worked well and went through a few iterations to be what it is now.

[Note2:] This filter is to be deployed at your own discretion, this was written from myself and end users whom I worked with - this filter script is not a officially supported script, please modify it to your requirements.

You can use this filter:

MacroFilter: if (attachment-filename == "(?i)\\.(xls|doc|ppt|xlsx|docx|pptx)$") AND
((attachment-binary-contains("(?i)x-vba-macros")) OR ((attachment-binary-contains("(?i)vba")) AND
(attachment-binary-contains("(?i)versioncompatible32")))) {
                  log-entry("$MatchedContent");
  insert-header("X-Macro", "True");
              }

.

Then create a content filter to look for this header to quarantine the email.

GUI > Mail Policies > Incoming Content Filters > Add a new filter

Condition -> Other Header -> X-Macro -> Value Contains -> True

Action -> Quarantine to the policy quarantine

Optional Action (Please create the text resource GUI > Mail Policies > Text Resources -> Add a new notification template.)

Action 2 -> Notify -> Define the recipient of notification and choose the template.

Submit this content filter.

Deploy it into your Mail Policies where you want it to be used.

Commit changes.

Then monitor the Policy quarantine going forward.

This was tested against hundreds of macro enabled samples and worked to expectations of myself and the users who went forward to incorporate it.

The reason why i did not just stop it at the message filter with a drop, that is very aggressive and while there are -some- legitimate emails containing macros, it's best to review it.

Regards,

Matthew

Evan M · ‎02-29-2016

I am using Cisco hosted IronPort and don't currently have CLI access. It doesn't seem like I'll be able to create this content filter through GUI, is that correct?

I believe I can request CLI access via the hosted service, so I may need to do that.

Robert Sherwin · ‎02-29-2016

Correct - in order to use the "attachment-binary-contains", this would be CLI and message filter only. This is not an option for content filters.

-Robert

Cheers,
Robert Sherwin

olaf.boettger · ‎03-15-2016

Hi, I tested it also. I thought the main problem is that the message filter is not "looking into" office attachments. It's simply performing a binary serch.

matthias.muench · ‎03-15-2016

thats right, but all macro files i had my hands on have binary readable phrases like:

word/vbaData.xml

word/_rels/vbaProject.bin.rel

word/vbaProject.bin

...and so on...

so imho the ability to search for "vba" is at least better than nothing... but @cisco:i am looking forward to see a checkbox/filetype "makro" ;)

by the way i had a few false-positives today, seems to be more accurate to search for "/vba"

MacroFilterNeu: if ((attachment-filename == "(?i)\\.(xls|xlsx|xlt|xla|xltx|xlsm|xltm|xlam|xlsb|doc|dot|docx|dotx|dotm|docm|ppt|pot|pps|ppa|pptx|potx|ppsx|ppam|pptm|potm|ppsm|rtf)$") OR (attachment-filetype != "Document")) AND ((attachment-binary-contains("(?i)x-vba-macros") OR (((attachment-binary-contains("(?i)vba")) AND (attachment-binary-contains("(?i)versioncompatible32"))) OR ((attachment-binary-contains("(?i)/vba")) AND attachment-binary-contains("(?i)[Content_Types].xml"))))) {
                 log-entry("$MatchedContent");
                 insert-header("X-Macro", "True");
             }

Ken Stieers · ‎03-15-2016

So, I was digging through the parenthesis party, and want to make sure of the logic...

AND
(
     (
  attachment-binary-contains("(?i)x-vba-macros")
  OR
     (((attachment-binary-contains("(?i)vba")) AND (attachment-binary-contains("(?i)versioncompatible32")))
   OR
  ((attachment-binary-contains("(?i)/vba")) AND attachment-binary-contains("(?i)[Content_Types].xml")))
     )
)

This first section before the first AND is almost always true... the only time its not true are "Documents" that aren't in the MS list... right?

After the AND, its looking for

"x-vba-macros"

or

(vba and versioncompatible32

or /vba and content type xml)

Did you mean to leave that slash on the second vba?

Mathew Huynh · ‎03-15-2016

Hello Matthias,

Glad to see the filter was altered to your specifications to get it to work to your requirements.

However I must add, the reason why some of the formats were not there as I was testing with some other formats such as .docm which was a macro enabled document file (hence the m) but the binary matching was somewhat different, so i suppose the additional formats you looked into, the second OR clause would be for that one.

Regards,

Matthew

bltieszen · ‎10-03-2016

Matthew,

I have tried most of the filters in this thread with none of them working. I send a know xls with a macro and they don't processed with the Header X-Office Macro. here is the filter I created. what could I be doing wrong? AMP does catch it and send it off for review.

MacroFilter: if ((attachment-filename == "(?i)\\.rtf") AND (attachment-binary-contains("(?i)vbaproject.bin"))) OR ((attachment-filename == "(?i)\\.(xls|xlt|xla|doc|dot|ppt|pot|ppa|pps|sld|xlsx|xlsm|xltx|xltm|xlsb|xlam|docx|docm|dotx|dotm|pptx|pptm|potx|potm|ppam|ppsx|ppsm|sldx|sldm)$") AND ((attachment-binary-contains("(?i)x-vba-macros")) OR (attachment-binary-contains("(?i)/vbaProject.bin")))) {
                 log-entry("$MatchedContent");
                 insert-header("X-OfficeMacro", "True");
             }

bltieszen · ‎10-05-2016

I opened a case with Cisco, and this is their suggestion.

Hi Brad,

You can use the below filter for achieving your desired results-

The message filter as follow:

macro_MSoffice_drop:

{

}

Thoughts?

hunglam210 · ‎04-11-2017

Hi Matthew,

Can you comment on the new built in macro detection on 10.0.1 build 087? Is this carried over from the work from this custom filter? I haven't tested it yet but assume it's just as effective as this filter?

Thanks

Mathew Huynh · ‎04-11-2017

Hey Hung,

I believe it should be just as if not more effective as the product team had written different codes/scripts for the matching for this.

Regards,

Matthew

matthias.muench · ‎03-15-2016

Hi! i'am new to Ironport (testing at the moment) and i found this thread a few days ago.

There are two problems, the first: it not looks into all potential macro-files (for example *.dotm) so i expanded the list of filenames.

the second: there also seems to be a problem with detecting macros, so i expanded the filterrule.

Finally it looks like it will do its job. Please expand the rule if you can find any other problems/issues, or correct me if i'am wrong ;)

MacroFilterNeu: if ((attachment-filename == "(?i)\\.(xls|xlsx|xlt|xla|xltx|xlsm|xltm|xlam|xlsb|doc|dot|docx|dotx|dotm|docm|ppt|pot|pps|ppa|pptx|potx|ppsx|ppam|pptm|potm|ppsm)$") OR (attachment-filetype != "Document")) AND ((attachment-binary-contains("(?i)x-vba-macros") OR (((attachment-binary-contains("(?i)vba")) AND (attachment-binary-contains("(?i)versioncompatible32"))) OR ((attachment-binary-contains("(?i)vba")) AND attachment-binary-contains("(?i)[Content_Types].xml"))))) {
                 log-entry("$MatchedContent");
                 insert-header("X-Macro", "True");
             }

-Matthias

exMSW4319 · ‎03-15-2016

Matthias, could you please expand the first half of that condition?

I parse that as "if one of a series of document types or not a document".

Additionally, I've seen Word malware downloaders masquerade as RTF documents. Word cheerfully loads and runs them as Word documents.

matthias.muench · ‎03-15-2016

Hi, to get it right:

you want me to add *.rtf files to the filename-list like:

MacroFilter: if ((attachment-filename == "(?i)\\.(xls|xlsx|xlt|xla|xltx|xlsm|xltm|xlam|xlsb|doc|dot|docx|dotx|dotm|docm|ppt|pot|pps|ppa|pptx|potx|ppsx|ppam|pptm|potm|ppsm|rtf)$") OR (attachment-filetype != "Document")) AND ((attachment-binary-contains("(?i)x-vba-macros") OR (((attachment-binary-contains("(?i)vba")) AND (attachment-binary-contains("(?i)versioncompatible32"))) OR ((attachment-binary-contains("(?i)vba")) AND attachment-binary-contains("(?i)[Content_Types].xml"))))) {
                 log-entry("$MatchedContent");
                 insert-header("X-Macro", "True");
             }

Thank you! tested, also works!