Announcements Threat Analysis Unit

VMware Carbon Black Cloud Adds Excel 4.0 Macro Prevention


VMware Carbon Black is pleased to announce the general availability of our all-new Microsoft Excel 4.0 macro prevention delivered by the newly innovated Dynamic Rule Update feature to all customers utilizing the NGAV module. This latest innovation on VMware Carbon Black Cloud delivers crucial protection against a wide array of defense evasion and obfuscation techniques in use by cybercriminals in environments with Microsoft Excel.

Leveraging new AMSI (Anti-Malware Scanning Interface) telemetry, VMware Carbon Black Cloud can now analyze all macro content in real-time to shut down attacks using malicious Excel 4.0 macros. Together with our existing AMSI Reveal functionality, customers gain critical visibility into de-obfuscated attacker behavior right within the VMware Carbon Black Cloud user interface, as well as automated prevention to drastically reduce time spent hunting for what has traditionally been a highly elusive threat.

Spear phishing remains one of the most prevalent initial access tactics used by attackers to trick victims into running code on a machine to gain access, throughout 2020 phishing attacks took a 379% rise from that of 2019. For years, Excel 4.0 based macros delivered via phishing campaigns have been a popular choice in delivering malicious payloads. This was made abundantly clear after research done by the VMware Lastline Research Group shed new light on the frightening evolution of macro code weaponization, with a new wave of samples appearing on nearly a weekly basis.

VMware Carbon Black Cloud customers now benefit from real-time detection and prevention of malicious Excel 4.0 macros whether they originate from open-source payload generation toolkits or consist of highly customized obfuscated commands. This is yet another important milestone as VMware Carbon Black continues to lead the industry in innovative approaches to more effectively secure Endpoints and Workloads across the globe.

For more information on this latest release, check out our technical deep dive.