Infiltrate Security Conference OPEN CFP

This CFP closes in 2 days

Sandbox evasion using VBA Referencing

Mitigation bypass

The sandbox, last line of defense for many networks, isn't what it used to be. In our talk, we show how attackers can bypass sandbox security, inserting malicious code on servers without getting flagged, by taking advantage of basic rules of how VBA (Visual Basic for Applications) macros and sandboxes operate. If once a sandbox could "arrest" a VBA macro based on its anomalous structure or attempted activity, the method we demonstrate shows how attackers can hide their capabilities and change their actions to evade detection by sandboxes. The trick is in taking advantage of VBA's support of referencing methods from another remote VBA project, and principles of sandbox security, which let files do whatever they were programmed to do without impediment or limitation, in a supervised environment. In our presentation, we demonstrate how malicious actors might take advantage of these principles to carry out attacks: * An attacker prepares two documents. One document, containing macros that trigger malicious actions, is placed on the attacker's server. * A second document, sent to the victim, contains a macro that simply calls functions from the malicious document. * If that document is executed within a sandbox, the attacker is alerted that a sandbox environment is present, and the macro is being served an "innocent" function, or an empty one. When the document passes through the sandbox onto the user's machine, the attacker is informed that it's operating in a user environment, and unleashes the malicious macro. * The attacker can pull this off without having to use any sandbox-evasion capabilities. How does the attacker guarantees shipping a benign file for sandbox environments and a malicious file for a user environment without applying any sandbox evasion tricks? How do commercial sandboxes react to this technique? The answers are in our presentation, Sandbox Evasion using VBA Referencing.

Back to Open CFP
Rated 5 - 19 reviewers


Interested in Speaking?

We are pleased to announce the Call For Papers for INFILTRATE 2018 is now open. If you would like to present and have an offense-focused-fresh-content presentation, please submit an abstract, Bio and headshot to This information will be included on our Open CFP site, here, where the public can vote on which presentations they are most interested in seeing at INFILTRATE. Call for papers will close on December 14th, 2017. Shortly after this date, the winning speakers will be notified.

Some of the benefits of speaking at INFILTRATE are:

  • A trip to Miami Beach during the non-gates-of-hell hot season
  • A stay at one of the premier luxury resorts in the area
  • A no-bullshit environment where you don't have to be apologetic about
  • Ability to participate in the 1st ever profit sharing conference