Malicious VBA in Microsoft Access Files Enables Credential Theft and Malware Execution
What Happened — Researchers reported a surge of malicious Microsoft Access (.accdb/.mdb) files that embed VBA macros to silently download and execute ransomware or credential‑stealing payloads. The macros exploit Access’s ability to run arbitrary code, bypassing many traditional macro‑blocking controls.
Why It Matters for TPRM —
- Access files are frequently exchanged between vendors and clients, often via email or shared drives, creating a low‑visibility attack surface.
- Compromise of a third‑party’s Access database can lead to lateral movement into the broader corporate network.
- Traditional email filters may not flag Access files, allowing the threat to slip past existing defenses.
Who Is Affected — Financial services, healthcare, education, and any organization that uses Microsoft Access for internal applications or data exchange.
Recommended Actions —
- Block or quarantine Access files from external email unless explicitly required.
- Enforce strict macro execution policies and disable VBA in Access where possible.
- Deploy content‑disarm‑and‑reconstruction (CDR) solutions to sanitize incoming Access files.
- Conduct user awareness training on the risks of opening unknown Access databases.
Technical Notes — Attack vector: malicious VBA macros delivered via Access database files; no specific CVE cited, but the technique leverages Access’s native automation capabilities to execute PowerShell or DLL payloads. Data types targeted include credential stores, internal spreadsheets, and system configuration files. Source: SANS Internet Storm Center