Detecting Excel spreadsheets with old school xlm macros.

Tony Kilbarger · ‎04-21-2021

Our security team has been seeing lots of malicious stuff coming through in excel spreadsheets that have older Excel 4.0 XLM macros in them. I saw a filter written like

MacroFilter: if (attachment-filename == "(?i)\\.(xls|doc|ppt|xlsx|docx|pptx)$") AND
((attachment-binary-contains("(?i)x-vba-macros")) OR ((attachment-binary-contains("(?i)vba")) AND
(attachment-binary-contains("(?i)versioncompatible32")))) {
                  log-entry("$MatchedContent");
  insert-header("X-Macro", "True");
              }

Wondering if something like:

MacroFilter: if (attachment-filename == "(?i)\\.(xls)$") AND (attachment-binary-contains("(?i)xlm") {
                  log-entry("$MatchedContent");
  insert-header("X-Macro", "True");
              }

Thoughts? Better ideas?

andrey.rusev · ‎04-23-2021

Hi Tony,

the excel 4 macro file I have seen matched on (attachment-binary-contains("(?i)[Content_Types].xml")). This binary type is in all excel files created by recent Excel versions.

You have to prepare exclusions either based on dictionaries or Incoming mail policy. May it's better idea to have a message filter or content filter to match on file extension - ".xlsm". only

here is a filter proposed by TAC support

ExcelMacroFilter: if (sendergroup != "RELAYLIST") AND (sendergroup != "WHITELIST")
{
if (attachment-filename == "(?i)\\.(xls|xlsx|xlsm)$") AND
(attachment-binary-contains("(?i)Excel 4.0 Macros") OR attachment-binary-contains("(?i) x-vba-macros") OR attachment-binary-contains("(?i) [Content_Types].xml") OR attachment-binary-contains("(?i) [Content_Types].xml"))
{
log-entry("$MatchedContent");
quarantine("policy");
}
}

Kind Regards!

svgeorgi · ‎05-03-2021

Tony, ESA has a Macro condition within its content filters to catch macros, may want to check it out instead. Have you tried it already?!