Don’t Share Email with Scripts and Macros

F-Secure Life, Security & Privacy, Threats & Hacks, Tips & Tricks

Sharing documents scripts and macros over email is a habit you want to break, says Broderick Aquilino, Senior Researcher at F-Secure.

“Both scripts and macros are commonly used attack vectors,” he told us. “Users practicing this increase their risk because it becomes harder for them to distinguish something malicious from what they are receiving day to day.”

Casually sharing files that could easily lead to malware infections, including ransomware, effectively “trains” you to open documents in emails with impunity. “It is also harder to control and audit who have access to which documents.”

An alternative to sharing these files as attachments is to use a file server with proper access control.

“Make sure only authorized users are able to share documents and only accessible to the target audience,” he says. “This way users can know to certain extent that documents came from trusted source. If an authorized user accidentally gets infected, the impact will also be limited.”

But here’s even better solution: stop using macros!

They’re a relic from an era when the internet wasn’t widely accessible.

“Times have changed and even Microsoft itself has been finding ways to limit the use of macros. So if users can, they should take the next step and disable macros altogether. Admins can do this via group policy. This prevents users from getting social engineered into enabling and running macros.”

Attachments have been a scourge of internet security for decades now and the classic rule that you should avoid opening them at all if you cannot verify the sender still applies. But criminals know that you know that.

“Malicious attackers will be pretending to be someone you know, so having a clearly defined email policy that includes what type of attachments staffs may or may not send and open can be helpful,” he said. “A good general rule is to prohibit the use of file types that has the ability to execute code.”

Unsolicited email is not is generally not worth your time, Broderick said. This was true in 1998 and it’s true in 2018.

“My bet is that an email is most likely spam if you were not expecting it and the email does not have your name explicitly listed in the recipient list, or the list is hidden or too large. Most probably, you won’t be missing anything important and is better off not opening them.”

But since we all make mistakes, a bad habit is a good thing to eliminate.

Rate this article

3 votes


It will be one the most difficult habits to break as curiosity gets the better of us. However staff needs to be reminded regularly.

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

You might also like