Monday, May 23, 2022

Microsoft to stop running of VBA macros by default

Microsoft is taking a step towards blocking malware-bearing macros, one of the biggest tools used by threat actors to spread malware through phishing.

The company said today that the running of Visual Basic macros will be blocked by default in five Office applications, starting in April.

“While we provided a notification bar to warn users about these macros, users could still decide to enable the macros by clicking a button,” Kellie Eickmeyer, a member of Microsoft’s Tech Community, said in a blog. “Bad actors send macros in Office files to end users who unknowingly enable them, malicious payloads are delivered, and the impact can be severe, including malware, compromised identity, data loss, and remote access.”

“For the protection of our customers, we need to make it more difficult to enable macros in files obtained from the internet.”

After the change, once a user opens an attachment or downloads an Office file containing macros from the internet, they will no longer be able to enable content with a click of a button. Instead, a message bar will display a Security Risk alert that the file contains Visual Basic for Applications (VBA) macros obtained from an untrusted source, and provides a Learn More button to click.

thumbnail image 1 captioned A message bar displays a Security Risk showing blocked VBA macros from the internet

“The default is more secure and is expected to keep more users safe, including home users and information workers in managed organizations,” Eickmeyer said.

Macro-based malware continues its rise, Microsoft’s security team noted in a separate blog. Recent data from the Office 365 Advanced Threat Protection service indicates 98 per cent of Office-targeted threats use macros.

“The enduring appeal for macro-based malware appears to rely on a victim’s likelihood to enable macros,” Microsoft said.

“Threat actors will howl at this news,” said Brett Callow, a British Columbia-based threat analyst for Emsisoft. “They’ve been exploiting macros for years, for literally decades, and this very minor alteration to default behaviour will make it much harder for them to exploit the vector. Why it’s taken Microsoft so long to make this change is utterly baffling. Yeah, there’ll be some negative impacts for organizations, but they can be worked around and this change is definitely for the greater good.”
A new feature in Office 2016 will also help enterprise administrators prevent the risk from macros in certain high risk scenarios. This feature:
  • allows an enterprise to selectively scope macro use to a set of trusted workflows;
  • blocks easy access to enable macros in scenarios considered high risk;
  • provides end-users with a different and stricter notification so it is easier for them to distinguish a high-risk situation against a normal workflow.

This feature can be controlled via Group Policy and configured per application. It enables enterprise administrators to block macros from running in Word, Excel, and PowerPoint documents that come from the Internet. This includes scenarios such as the following:

  • documents attached to emails that have been sent from outside the organization (where the organization uses the Outlook client and Exchange servers for email);
  • documents opened from public shares hosted on the Internet (such as files downloaded from file-sharing sites);
  • documents downloaded from Internet websites or consumer storage providers (like OneDrive, Google Drive, and Dropbox). However, a macro will not be blocked when the file is opened from the OneDrive location of the user signed into the client, i.e., your own OneDrive location, or when the file is opened from within the tenant (OneDrive for Business or SharePoint Online) of the user signed into the client, i.e., your own tenant.

This change only affects Office on devices running Windows, and only affects the following applications: Access, Excel, PowerPoint, Visio, and Word. The change will begin rolling out in Version 2203, starting with Current Channel (Preview) in early April 2022. Later, the change will be available in the other update channels, such as Current Channel, Monthly Enterprise Channel, and Semi-Annual Enterprise Channel.

At a future date to be determined, Microsoft also plans to make this change to Office LTSC, Office 2021, Office 2019, Office 2016, and Office 2013.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.