Bypassing Gmail’s Malicious Macro Signatures

Malicious macros in Excel spreadsheets are one of the most common methods of delivery in phishing attacks. If the premise is enticing enough, an unsuspecting user may download the document and enable macros which could result in arbitrary code being run on their system.

In order to simulate a phishing campaign from an attacker, we at SecureState will typically utilize the macro payload from PowerShell Empire to drop agents onto victim systems via messages sent with King Phisher. One of the drawbacks of using an open-source software suite to generate these payloads is that they are often picked off in-flight. Fortunately for us, this barrier is actually fairly trivial to bypass even when implemented by some of the most widely known email providers.

The output from Empire’s one-click macro generator gives the following code:

When this code is pasted into a workbook, the Excel document now becomes a malicious payload. Gmail immediately recognizes it as such and will not even allow you to send the message:

After doing some research, I had a hypothesis as to how Gmail was determining which attachments were legitimate and which were malicious. To the naked eye it would be difficult as the payload is encoded, but Google still picks up on it as dangerous. My guess is that there are two major components that go into a workbook’s malicious score:

  1. Macros that trigger on “workbook open”
  2. Macros that contain the string “powershell”

Both of these protections are pretty easy to defeat. In order to bypass the first check, I called the malicious function on a Button_Click event. This required the user to actually click on a button but with an enticing enough premise this should be no problem. I was able to take care of the second indicator by simply splitting up the word PowerShell! By splitting the string across separate lines, Gmail no longer detects this word to categorize it as malicious.

For maximum compatibility, I also saved it as a 2003-2007 workbook (.xls) to avoid the scary-sounding .xslm extension.

After making these quick and easy changes, I had no problem getting a great inboxing rate on many different email servers. Make sure that you check your filtering rules to see how easy they are to bypass!



A snippet of what my undetected malicious macro looks like



Research analyst. Physics geek. Former educator. OSCP

Latest posts by rascuache (see all)