Security Experts:

Microsoft Blocks Risky Macros in Office 2016

In an effort to counter the use of malicious macros to deliver malware, Microsoft has packed a new macro blocking feature into Office 2016.

The new macro blocking feature was designed mainly for enterprises, and allows administrators to prevent macros from compromising machines in certain high risk scenarios. Furthermore, admins will be able to control the feature via Group Policy and configure it per application to block macros from running in Word, Excel and PowerPoint documents that come from the Internet, Microsoft explains. 

The architecture of macro-based malware is based on the victim’s likelihood to enable macros in malicious documents, given that previous Office versions warned users when opening documents that contain macros. However, cybercriminals are relying on various social engineering tactics to lure users to enable macros in good faith.

Malicious macros were highly popular among malware creators a decade ago, yet their popularity diminished after Microsoft disabled macros by default in Office. However, macro malware has regained some of its glory more recently, with infamous threats such as Dridex, Rovnix, or the enterprise-oriented Bartalex heavily relying on macros as the delivery mechanism.

Until recently, macro malware typically used easy to implement scripts within the macro sheet to deliver and execute the malicious payload. Starting in February, however, malware such as Dridex and Locky started using Form objects, which are windows or dialog boxes that make up part of an application's user interface, instead of scripts.

With 98 percent of Office-targeted threats using macros, Microsoft has decided to boost defense mechanisms in its application suite and to provide enterprises with additional security features. Starting with Office 2016, organizations can selectively scope macro use to a set of trusted workflows and can block easy access to enable macros in scenarios considered high risk, Microsoft said.

Furthermore, Microsoft says that the new Office 2016 feature provides end users with a different and stricter notification, thus making it easier to distinguish a high-risk situation against a normal workflow.

The new feature should diminish the risks posed by documents downloaded from websites or cloud storage providers (like OneDrive, Google Drive, and Dropbox), those attached to emails coming from outside the organization (if the organization uses the Outlook client and Exchange servers for email), and those opened from file-sharing sites.

By blocking macros in such documents, administrators ensure that users don’t get infected when opening them, and that they have no way of enabling macros either. The document is initially opened in Protected View, but even if the user enables editing and exits Protected View, macros remain blocked and the user is safe from infection.

Administrators can enable the feature from the Group Policy Management Console, by right-clicking the Group Policy Object they want to configure and then clicking Edit. Next, they should go to User configuration in the Group Policy Management Editor, click Administrative templates > Microsoft Word 2016 > Word options > Security > Trust Center, and select Block macros from running in Office files from the Internet to configure it. 

To stay protected from macro-based malware, users are advised to leave macros disabled on documents received from unknown or untrusted sources. Enterprise administrators are advised to enable mitigations in Office to shield the organization from macro based threats, including this new macro-blocking feature, or disable macros entirely.

Related: PowerSniff Malware Attacks Abuse Macros, PowerShell

view counter