Warning to Office for Mac Users; Beware of SYLK files

Microsoft Office for Mac users should be aware of the .SLK file extension and know that the SYLK file type could contain malicious Excel macros. SYLKs are older, legacy files but are still supported in the most recent versions of Office and can run code in the background of the targeted computer.

These infected files can execute their payload even if the target machine has turned on the “disable all macros without notification” security feature within Office. With this feature turned on, opening potentially dangerous files will result in the Protected View banner (see below image) being displayed at the top of the screen. When Protected View is active the program runs in a read-only mode that disables editing functions. Typically, this protected view keeps the macros from running, thwarting what would be an attack on your system.

Unfortunately, SYLK files do not prompt Protected View to open by default, meaning you will not see a warning message stating that the file could contain viruses. So, if you have configured Office to “disable all macros without notification” your machine will execute the macros in SYLK files without prompting for approval. This issue has been seen in Office 2016 & Office 2019 for Mac as well as Microsoft Office 2011 for Mac.

Aside from the potential to run code on a machine without the need for end user approval, SYLK files are being used as the payload vehicle due to the fact they are not often blocked by default. SYLK files are not included in the Outlook Web Access blocked extension list, Microsoft Outlook blocked attachments list or is it listed as dangerous in Chrome’s safe file list.

The best way to protect yourself from this threat is to not open any files or attachments that contain the SYLK extension or to verify with the sender that the file is legitimate. You can also set your application to open SYLKs in Protected View or block these types of files in the Office Trust Center settings menu.