With the plethora of e-mail born Office documents with active macros in them to pull down malware/ransomware we sent out the following e-mail to all of our clients for distribution internally.
Good day everyone,
It’s gotten to the point now where we are considering a universal restriction on incoming Office Documents. By that we mean plucking them right out of the e-mail via ExchangeDefender by default.
We have somehow travelled back to the 1990s where the bad guys are setting up Office documents with a Macro, an automatic script that runs when the document gets opened, that goes on to pull down their nefarious malware or ransomware.
Here are some steps to help protect us:
- Microsoft Office has a Save As PDF feature built-in. Please have all outside folks send a PDF instead of an Office document
- This is especially critical for Resumes. All job postings _must_ request PDF and note that Office documents would be deleted on the spot!
- If collaboration is required for Office documents use ShareFile
- Preferred over Dropbox since security is questionable with the Dropbox service
- Most Office documents that have Macros built-in have an “m” in the extension
- Save the Office document to Downloads and verify!
- If extensions are not shown then right click the file and left click on Properties
- Users _should_ be prompted:
- Obviously, the answer should be to NOT click that button
- If they do, there is one last cause for pause
- This is what happens if I try and click on something that is Macro driven _before_ clicking Enable Content
Along with the need to be mindful of any Microsoft Office attachments in our e-mail we should also remember the following:
- Never click on a link in an e-mail without at the least verifying its destination:
- Hover the mouse cursor over the link to verify
- As a rule: Never, ever, click on a link in an e-mail. Go to the web site after opening a new browser window (IE, Firefox, Chrome, Safari)
- It may _look_ like it came from someone you know but never trust that. Call and ask!
- There are a few exceptions to this rule thus make sure to hover your mouse over the link before clicking!
- Advanced users can check the headers
- Don’t save important site’s information in the browser
- Banking IDs and passwords
- CRA and critical site’s IDs and passwords
- Do not disable the secondary question for any computer
- Banking sites use this feature to help protect the account as one example
- Answer the question, it only takes a couple seconds and could save your savings!
- Never call the 800 number that comes up in a Search for Support!
- Go to the manufacturer’s web site and click on the Support link to find the correct phone number
- Never believe a pop-up message that says your computer is infected with something!
- And never, EVER, call the 800 number on that pop-up!
- Don’t click anywhere, close and save your work if needed then, reboot!
- Do NOT click anywhere in the pop-up window. Looks are deceiving as all areas of that pop-up = YES/ACCEPT/CONTINUE
- Never volunteer a credit card number or banking information to anyone
- Social Security/Social Insurance Numbers too!
- Folks can garner a lot about us online. Never volunteer any information when asked via any incoming call/e-mail/forum
- Always call them back!
- Caller says they are from the bank, CRA, or other seemingly critical business?
- Ask for their badge number, an 800 number to call, and an extension
- Open a browser and verify the 800 number belongs to the bank/CRA/CritBiz.
- Then call them back after hanging up if the number proves true!
While the above list is far from complete, by following these guidelines we can greatly reduce the chances of a malware or ransomware infection.
And, as always, e-mail or call if you are not sure about something!
Please feel free to use this as a template for training users!
Have a great weekend everyone. It’s +10C here and much like an awesome Spring day!
Microsoft High Availability MVP
Co-Author: SBS 2008 Blueprint Book