There are several types of attachments that can be used within a simulated phishing campaign. In this knowledge base article, we will focus on attachments that contain macros.
- What are attachments that contain Macros?
- How do I use an attachment with a Macro?
- What does it take to enable Macros on attachments?
What are attachments that contain Macros?
Attachments that contain macros look like any other Microsoft Word or Microsoft PowerPoint document, except their file extension will be slightly different. Instead of the classic "ppt" or "doc", the file extensions indicate that there is a macro by appending an "m" to the extension, becoming "pptm" or "docm".
How do I use an attachment with a Macro?
To use an attachment with a macro enabled when creating a simulated phishing template, you can follow these steps:
- Click "Emails" under templates in the Phishing section in the left-hand column.
- Click "Add new Template".
- Scroll down to below the template editor to the attachment type field.
- Go to the attachment type drop-down below the template editor and select one of the attachments with "with Macro" in the name.
The current attachments containing macros are:
- Microsoft™ Word Document with Macro and Whoops Message
- Microsoft™ PowerPoint™ Document with Macro and Whoops Message
What does it take to enable Macros on attachments?
Microsoft has recently enhanced user protection by disabling all macros by default. This change means that enabling macros on a document now requires more effort than before. To enable macros in a document, the user must follow these steps:
- Go to the drop-down menu on the email containing the attachment.
- Click Save, to save the attachment to your computer.
When opening a document with a macro without unblocking it, a banner will appear at the top of the document. To unblock the document, the end user should:
- Navigate to the document in the file explorer.
- Right-click on the Word document and select "Properties".
- Tick the "Unblock" checkbox in the file properties.
- Press "apply" to unblock the macros.
- Press "ok" to confirm the change.
- After reopening the document, a new message will appear, stating that macros are disabled, along with a button to enable them. Clicking this button activates the macro.
When the macro is enabled, the end user will receive a warning message reminding them never to open an unknown document with macros enabled.
- Monitoring the campaign statistics "Opened Attachment" will reveal whether the attachment has been opened.
It is important to note that opening a document and enabling macros involves a series of steps. End users who complete these steps have essentially navigated through several metaphorical 'hoops' and bypassed security protections in an attempt to enable a potentially malicious macro, which may serve as an indicator of which users need additional training.