Gmail security filters responsible for detecting malicious macrosorders can be bypassed if you split the "trigger word" into two or more, according to security researchers at SecureState.
Malicious macros are code fragments that are usually enclosed in Office files and if the user runs these files then malware performs a series of tasks.
Macros in general were created to simplify various identical scenarios work, but they also became a backdoor in the hands of criminals.
Microsoft blocks these scripts from running automatically, and also email service providers have started scanning attachments files looking for macroeconomic scenarios that may be involved in them.
Η SecureState reports that the gmail immediately detects an Office document as malicious if the script it contains uses specific words.
In their tests, Gmail identified an Excel file as malicious when its code contained the word “PowerShell,” a very powerful Microsoft scripting utility that, with macros, could interact with functional Windows system.
Surprisingly, when they split that word into two, they managed to bypass the Gmail security filter.
An intruder who knows this trick is just needing to adjust his own file name to two separate lines as shown below.
Str = "powershe" Str = Str + "ll.exe -NoP - not -NonI -W Hidden -Enc JAB3"
In addition, SecureState researcher Mike Benich reports that Gmail maliciously detects any macro-scripts in Excel files that enable the "workbook open" function, but has managed to bypass this security feature as well. simply by placing the dangerous code under a button.
