Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

Microsoft Blocks Risky Macros in Office 2016

In an effort to counter the use of malicious macros to deliver malware, Microsoft has packed a new macro blocking feature into Office 2016.

In an effort to counter the use of malicious macros to deliver malware, Microsoft has packed a new macro blocking feature into Office 2016.

The new macro blocking feature was designed mainly for enterprises, and allows administrators to prevent macros from compromising machines in certain high risk scenarios. Furthermore, admins will be able to control the feature via Group Policy and configure it per application to block macros from running in Word, Excel and PowerPoint documents that come from the Internet, Microsoft explains. 

The architecture of macro-based malware is based on the victim’s likelihood to enable macros in malicious documents, given that previous Office versions warned users when opening documents that contain macros. However, cybercriminals are relying on various social engineering tactics to lure users to enable macros in good faith.

Malicious macros were highly popular among malware creators a decade ago, yet their popularity diminished after Microsoft disabled macros by default in Office. However, macro malware has regained some of its glory more recently, with infamous threats such as Dridex, Rovnix, or the enterprise-oriented Bartalex heavily relying on macros as the delivery mechanism.

Until recently, macro malware typically used easy to implement scripts within the macro sheet to deliver and execute the malicious payload. Starting in February, however, malware such as Dridex and Locky started using Form objects, which are windows or dialog boxes that make up part of an application’s user interface, instead of scripts.

With 98 percent of Office-targeted threats using macros, Microsoft has decided to boost defense mechanisms in its application suite and to provide enterprises with additional security features. Starting with Office 2016, organizations can selectively scope macro use to a set of trusted workflows and can block easy access to enable macros in scenarios considered high risk, Microsoft said.

Furthermore, Microsoft says that the new Office 2016 feature provides end users with a different and stricter notification, thus making it easier to distinguish a high-risk situation against a normal workflow.

The new feature should diminish the risks posed by documents downloaded from websites or cloud storage providers (like OneDrive, Google Drive, and Dropbox), those attached to emails coming from outside the organization (if the organization uses the Outlook client and Exchange servers for email), and those opened from file-sharing sites.

By blocking macros in such documents, administrators ensure that users don’t get infected when opening them, and that they have no way of enabling macros either. The document is initially opened in Protected View, but even if the user enables editing and exits Protected View, macros remain blocked and the user is safe from infection.

Administrators can enable the feature from the Group Policy Management Console, by right-clicking the Group Policy Object they want to configure and then clicking Edit. Next, they should go to User configuration in the Group Policy Management Editor, click Administrative templates > Microsoft Word 2016 > Word options > Security > Trust Center, and select Block macros from running in Office files from the Internet to configure it. 

To stay protected from macro-based malware, users are advised to leave macros disabled on documents received from unknown or untrusted sources. Enterprise administrators are advised to enable mitigations in Office to shield the organization from macro based threats, including this new macro-blocking feature, or disable macros entirely.

Related: PowerSniff Malware Attacks Abuse Macros, PowerShell

Written By

Click to comment

Expert Insights

Related Content

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Application Security

Software maker Adobe has rolled out its first batch of security patches for 2023 with fixes for at least 29 security vulnerabilities in a...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Endpoint Security

Microsoft this week shared details on CVE-2022-42821, a Gatekeeper bypass vulnerability that Apple recently addressed in macOS Ventura, Monterey, and Big Sur.