Microsoft has announced it will begin blocking Visual Basic for Applications (VBA) macros obtained from the public internet by default across five of its most used Office apps from April 2022, in an attempt to thwart malicious actors from tricking users into executing malware on their systems.
Microsoft Office has supported macros for years, but up to now – while it has warned users about enabling them – users still had the option to enable them at the click of a button. This has resulted in a situation where malicious actors know well that they can send macros in innocent-looking Office files to users who enable them without thinking, allowing them to deliver malicious payloads and conduct damaging cyber attacks.
“A wide range of threat actors continue to target our customers by sending documents and luring them into enabling malicious macro code,” said Tom Gallagher, partner group engineering manager for Office security at Microsoft. “Usually, the malicious code is part of a document that originates from the internet. Once enabled, the malicious code gains access to the identity, documents and network of the person who enabled it.”
Going forward, Redmond said users would no longer be allowed to enable macros just by clicking a button, but instead will see a message bar notifying them that macros are blocked, alongside an option to learn more. Ultimately, it will still be possible to enable macros, but the process will require users to travel through more layers, reducing the possibility of someone accidentally clicking on a well-crafted phishing email. Microsoft believes this new default will be more secure and keep more users safe, in particular remote workers.
The change will only be available to installations of Office running on Windows machines, and will at first be applied to Access, Excel, PowerPoint, Visio and Word from Version 2203 onwards through Current Channel Preview. It will be made available in other update channels at an undisclosed date, and Microsoft will also apply the new policy to Office LTSC, 2021, 2019 and 2013 in the near future.
Microsoft said it was prompted to change its policy thanks in part to ongoing cloud migration, increased remote and hybrid working, and other pandemic impacts.
“We will continue to adjust our user experience for macros, as we’ve done here, to make it more difficult to trick users into running malicious code via social engineering while maintaining a path for legitimate macros to be enabled where appropriate via Trusted Publishers and/or Trusted Locations,” said Tristan Davis, partner group programme manager for the Office platform.
Microsoft urged IT and security teams to prepare for the upcoming changes by working with any lines of business in the organisation that use macros within their Office files and, critically, any independent software vendors on which the organisation relies that use macros within Office files.
More information on the new policies, alongside guidance for IT and security admins, can be found here.