• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

War Room

Shells from above

RSM logo

  • Home
  • About
  • Blog
  • Talks/Whitepapers
  • Tools
  • Recreation
Home > R&D > Research > Bypassing Gmail’s Malicious Macro Signatures

Bypassing Gmail’s Malicious Macro Signatures

July 18, 2016 By Mike

Malicious macros in Excel spreadsheets are one of the most common methods of delivery in phishing attacks. If the premise is enticing enough, an unsuspecting user may download the document and enable macros which could result in arbitrary code being run on their system.

In order to simulate a phishing campaign from an attacker, we at RSM will typically utilize the macro payload from PowerShell Empire to drop agents onto victim systems via messages sent with King Phisher. One of the drawbacks of using an open-source software suite to generate these payloads is that they are often picked off in-flight. Fortunately for us, this barrier is actually fairly trivial to bypass even when implemented by some of the most widely known email providers.

The output from Empire’s one-click macro generator gives the following code:

When this code is pasted into a workbook, the Excel document now becomes a malicious payload. Gmail immediately recognizes it as such and will not even allow you to send the message:

After doing some research, I had a hypothesis as to how Gmail was determining which attachments were legitimate and which were malicious. To the naked eye it would be difficult as the payload is encoded, but Google still picks up on it as dangerous. My guess is that there are two major components that go into a workbook’s malicious score:

  1. Macros that trigger on “workbook open”
  2. Macros that contain the string “powershell”

Both of these protections are pretty easy to defeat. In order to bypass the first check, I called the malicious function on a Button_Click event. This required the user to actually click on a button but with an enticing enough premise this should be no problem. I was able to take care of the second indicator by simply splitting up the word PowerShell! By splitting the string across separate lines, Gmail no longer detects this word to categorize it as malicious.

For maximum compatibility, I also saved it as a 2003-2007 workbook (.xls) to avoid the scary-sounding .xslm extension.

After making these quick and easy changes, I had no problem getting a great inboxing rate on many different email servers. Make sure that you check your filtering rules to see how easy they are to bypass!

 

obfu
A snippet of what my undetected malicious macro looks like
Share this...
  • Reddit
  • Email
  • Facebook
  • Twitter
  • Linkedin

Mike

Penetration tester and former educator.

Primary Sidebar

Categories

  • Defense
  • Forensics
  • Offense
  • Physical
  • R&D

Most Viewed Posts

  • DLL Injection Part 1: SetWindowsHookEx 10.8k views
  • Sophos UTM Home Edition – 3 – The Setup 10.8k views
  • Leveraging MS16-032 with PowerShell Empire 10k views
  • Bypassing Gmail’s Malicious Macro Signatures 9.8k views
  • How to Bypass SEP with Admin Access 8.9k views

Footer

  • RSS
  • Twitter
  • Tools
  • About
  • RSM US LLP

+1 800 903 6264

1 S Wacker Dr Suite 800
Chicago, IL 60606

Copyright © 2023 RSM US LLP. All rights reserved. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit for more information regarding RSM US LLP and RSM International.