As Christmas greetings, invoices, and gift lists flood inboxes, malicious actors exploit the festive cheer with macro-laden attachments disguised as legitimate documents. These ‘naughty scripts’ are a classic delivery vector for malware, ransomware and credential theft. Attackers take advantage of human curiosity and urgency as employees are more likely to open a ‘delivery receipt’ or ‘holiday bonus spreadsheet’ during the festive season. Executives must be alert to this persistent threat, as malicious macros can quickly escalate into major data breaches or operational outages.
Malicious macros are small pieces of executable code embedded within Microsoft Office documents, typically Word or Excel files. When a user opens the document and enables macros, the code executes automatically, downloading and installing malware, creating persistence or establishing remote access.
Attackers distribute these documents through phishing campaigns or file-sharing links that appear to come from legitimate sources. Common lures include ‘delivery notifications,’ ‘Christmas party rosters,’ or ‘updated vendor payment forms.’ Once executed, the macro may download a remote access trojan (RAT), modify registry settings or disable antivirus software to maintain control.
Macros are particularly dangerous because they abuse a trusted feature within Office, making them difficult for traditional filters to block without impacting productivity. Attackers often digitally sign their documents or disguise file types to bypass security controls.
The Australian Cyber Security Centre (ACSC) has repeatedly warned about macro-based malware campaigns, especially during seasonal peaks. In December 2021, several Australian small businesses reported receiving ‘invoice update’ emails containing Excel files with malicious macros that installed the Emotet trojan, a notorious malware used to deliver ransomware. Once executed, the malware spread laterally through shared drives and email contacts, leading to multiple infections across connected organisations.
In the Annual Cyber Threat Report 2024-2025, Australian businesses saw the average cost of cybercrime increase by 50% overall to over $80,000. The cost to individuals grew less but still averaged $33,000 in the past year.
Several Essential Eight strategies directly address macro-based threats and significantly reduce exposure:
These measures collectively break the attack chain, stopping malicious macros from executing, spreading or achieving persistence.
By aligning with the Essential Eight and reinforcing staff awareness, organisations can ensure their systems stay secure, keeping the only Christmas surprises to those under the tree, not in the inbox.
