Microsoft will soon start blocking Visual Basic Application (VBA) macros by default in five of its Office suite programs in an attempt to limit the Windows attack surface for cybercriminals.
Office macros have long been used by bad actors who send documents embedded with malicious code to unsuspecting users.
You might have seen a yellow ribbon on documents sent via email or downloaded from the internet which say ‘Enable Content’ – that was Microsoft’s previous attempt to stamp down on malicious macros.
But Kellie Eickmeyer a Principal Program Manager at Microsoft said in a blog post this week that it was too easy for users to “enable the macros by clicking a button”, something bad actors would actively encourage their victims to do.
“Bad actors send macros in Office files to end users who unknowingly enable them, malicious payloads are delivered, and the impact can be severe including malware, compromised identity, data loss, and remote access,” Eickmeyer said.
“For the protection of our customers, we need to make it more difficult to enable macros in files obtained from the internet.”
Instead of the ‘Enable Content’ button, users will be directed to an online article explaining why they should be wary of macros and describing the steps needed to unblock an individual file.
Opened Office macros can be so dangerous for organisations that the appropriate configuration of macro settings is one of the Essential Eight cyber security mitigation strategies.
Documents with malicious macros are part of the Emotet botnet’s modus operandi, contributing to the growth and spread of that irritating army of bots.
Macros account for about 25% of all ransomware entry (and other groups) and I basically career suicided on this hill as it’s not just ransomware using it.
— Kevin Beaumont (@GossiTheDog) February 7, 2022
Keep derisking macros and macro functions. It’s really important. Thank you all the people behind the scenes doing this.
Security researcher Kevin Beaumont tweeted that about 25 per cent of ransomware is delivered by macros – and that was a conservative estimate.
“This is potentially a game changer for the cyber security industry and, more importantly, customers,” he said.
“The world has changed since VBA was around. It’s a big deal to fix this.”
Fellow researcher Will Dormann pointed out that Microsoft had merely gone back to the state of macros from Office 2000 when VBA macros were met with a pop up referring users to online documentation.
“Starting with Office 2010, Microsoft made it easier for users to enable macros with the maligned Enable Content button, regardless of where the file came from,” he tweeted.
“It shouldn’t have needed a dozen years to recognise the risk here, but this is a welcome change.”
Downloaded files will no longer have the option to enable VBA macros with one-click in the Office 365 version Word, Excel, PowerPoint, Access, and Visio starting from early April.
Earlier versions of Office will get support “at a future date to be determined” and the change will only affect users running Office on Windows.