Attachments were barely on the radar at the start of 2014, but began slowly picking up in the spring, with growth accelerating in the fall. By the end of the year, phishing emails were evenly divided between URLs and attachments. Then URL use declined at the start of this year, and the use of attachments continued to climb, to the point where they were outnumbering URLs four-to-one by April.
And the trend seems to be accelerating. According to Proofpoint, there were 56 different campaigns that used macros to deliver the Dridex Trojan, sometimes delivering several million malicious emails in a single day.
There were two reasons for this, according to Kevin Epstein, vice president, advanced security and governance at Proofpoint. Macro writers got better at evading security mechanisms, and drive-by downloads became harder to do.
To successfully deploy malware via a browser download, the criminals has to discover a bug in the browser and write code to take advantage of that bug.
"It's not cheap or easy to find these flaws," Epstein said.
Plus, once the first malware campaign hits, everyone learns about the flaw, it gets fixed, people install the patches or updates, and the window of opportunity for the criminals narrows dramatically.
That's not the case with macros, however.
Despite all the training efforts, users continue to open phishing emails and click on attachments.
According to a Proofpoint report, users open 10 to 20 percent of all phishing emails, and click on one out of every 25 phishing attachments they receive. That's a success rate of around 4 percent -- double the success rates of legitimate advertising campaigns, said Epstein. That's because criminals have more tricks they can use than real companies.
[ USER ERROR: The things end users do that drive security teams crazy ]
"They're not bound by ethical constraints. they can spoof your friend's email address, or have an enticing subject line," he said.
Plus, attackers typically don't respect anti-spam legislation and will send out millions of emails at a time. With a 4 percent success rate, that translates into 40,000 downloads per million emails.
"If I initiate one successful bank transfer out of that, I'll have paid for my campaign times 10," he said. "The math works in their favor."
The attackers carefully track both their download rates and their attachment open rates, he said, and continually adapt their email content for maximum effectiveness.
Most recently, he said, those are very straightforward emails pretending to be from an electronic fax or email system, followed by invoices or financial transfer instructions.
When opened, the macros only activate when the user clicks on something in the document -- to see an enlarged version of a table, for example. That way, Epstein explained, they evade sandbox-based security.
Even if the user has macros disabled, they will regularly approve an override out of habit, he said.
"The weakest link, again, is us," he said.
The macro then installs a new piece of malware, usually the Dridex trojan, which quietly monitors the user's browsing history and steals banking credentials.
To battle this threat, Epstein recommends upgrading to the latest gateway security technology if the current system was installed more than a couple of years ago. And, in addition to initial protection, invest in targeted attack protection and threat response technologies, he added, for when malware does slip through.