• Delicious
  • Sales: 0800 634 6513
    General: 0845 053 0371

news and info

What to do about .DOC / .XLS malware emails

There are currently large amounts of ‘spam’ emails being sent containing .DOC and .XLS files. These files are sometimes almost benign just containing a spam message, but often contain macros which can do malicious things, such as downloading viruses from the Internet when the files are opened.

These files seem to be very difficult for virus scanners to block. This appears to be because the macros are written in VBA which can be obfuscated in many different ways, so detecting malicious macros without detecting benign macros can be difficult to do reliably.

In VPOP3 there are several things that can be done:

  1. If you have an up-to-date subscription for the VPOP3 spam filter, the spam filter will automatically block many indicators for suspicious macros inside DOC files. This can’t be totally accurate because of the possible obfuscation, but it detects many of the files.
  2. If you have an up-to-date subscription for the VPOP3 spam filter, you can go to Settings -> Spamfilter -> General -> Rule Weights tab, and set the ‘BlockDoc’ and ‘BlockXls’ weights to ‘1’. This will make VPOP3 quarantine any DOC, DOCM, XLS and XLSM files. If the message is from someone in your spamfilter whitelist, the message will still be received.
  3. You can block DOC, DOCM, XLS and XLSM files in the VPOP3 attachment filtering – go to Settings -> Attachment Processing -> Filtering tab, and add the following lines to the Attachment filenames to filter box.
    *.DOC
    *.DOCM
    *.XLS
    *.XLSM
    this will filter any incoming messages with these filenames.
  4. If you have a subscription for the VPOP3 Antivirus plugin, you can set that to treat any Microsoft files with macros as if they are viruses. See this blog post.

Is blocking these files safe?

Most people receive far fewer Microsoft Office documents in incoming mail than they think they do. Usually if you receive invoices or statements they will be in PDF format, not DOC format, so just blocking all Office documents will probably have a far smaller impact than you expect.

Note that we do not suggest blocking .DOCX or .XLSX files. Those file types cannot contain macros, so, while they can still contain spam messages, they cannot contain macro malware. Versions of Office from 2007 onwards save files in this format by default, so most modern documents will be in these formats, which are ‘safe’ to receive (obviously, they may still contain malicious text).

Modern versions of Office save files containing macros as .DOCM or .XLSM files, which is why we suggest blocking those. Older versions of Office saved files of any sort as .DOC or .XLS files so it is not easy to tell which of those contain macros without opening them, but it is reasonable to block those in most cases because most people use more modern versions of Office, or send documents as PDF files.

Share this!

Post a Comment