Emotet botnet operators (tracked as TA542) have been spotted testing new attack techniques after Microsoft disabled VBA macros by default. At present, the new technique is used on limited targets, indicating that this might be a test run.

The new attack chain

Researchers from Proofpoint have revealed that the operators are testing new techniques in more selective attacks before adopting them in their usual large-scale malspam attacks.
  • The campaign was spotted between April 4 and April 19. The activity happened while Emotet was on a spring break avoiding typical high-volume threat campaigns.
  • The recent campaign uses a compromised sender’s account and the emails were not sent by the usual spam module of Emotet.

Additional insights

  • The email subjects include simple words such as ‘Salary’ and the messages include OneDrive URLs pointing to zip files loaded with Excel Add-in files.
  • The execution of the Excel Add-in (XLL) files in the ZIP archives allows the dropping and execution of the Emotet payload from the Epoch 4 botnet.
  • The testing of different attack chains is most probably an attempt to evade detection and stay hidden.
Apparently, the attackers are now interested in new techniques that do not rely on macro-enabled docs.


Just after Microsoft disabled macros, Emotet developers have come up with new ways to overcome it, providing an indication of their striving efforts to stay on top of their game. Moreover, a low-volume attack and use of OneDrive further indicate that they are testing their updates, and maybe planning for something big in near future.
Cyware Publisher