Connect with us

Hi, what are you looking for?


Endpoint Security

Microsoft Blocks Risky Macros in Office 2016

In an effort to counter the use of malicious macros to deliver malware, Microsoft has packed a new macro blocking feature into Office 2016.

In an effort to counter the use of malicious macros to deliver malware, Microsoft has packed a new macro blocking feature into Office 2016.

The new macro blocking feature was designed mainly for enterprises, and allows administrators to prevent macros from compromising machines in certain high risk scenarios. Furthermore, admins will be able to control the feature via Group Policy and configure it per application to block macros from running in Word, Excel and PowerPoint documents that come from the Internet, Microsoft explains. 

The architecture of macro-based malware is based on the victim’s likelihood to enable macros in malicious documents, given that previous Office versions warned users when opening documents that contain macros. However, cybercriminals are relying on various social engineering tactics to lure users to enable macros in good faith.

Malicious macros were highly popular among malware creators a decade ago, yet their popularity diminished after Microsoft disabled macros by default in Office. However, macro malware has regained some of its glory more recently, with infamous threats such as Dridex, Rovnix, or the enterprise-oriented Bartalex heavily relying on macros as the delivery mechanism.

Until recently, macro malware typically used easy to implement scripts within the macro sheet to deliver and execute the malicious payload. Starting in February, however, malware such as Dridex and Locky started using Form objects, which are windows or dialog boxes that make up part of an application’s user interface, instead of scripts.

With 98 percent of Office-targeted threats using macros, Microsoft has decided to boost defense mechanisms in its application suite and to provide enterprises with additional security features. Starting with Office 2016, organizations can selectively scope macro use to a set of trusted workflows and can block easy access to enable macros in scenarios considered high risk, Microsoft said.

Furthermore, Microsoft says that the new Office 2016 feature provides end users with a different and stricter notification, thus making it easier to distinguish a high-risk situation against a normal workflow.

Advertisement. Scroll to continue reading.

The new feature should diminish the risks posed by documents downloaded from websites or cloud storage providers (like OneDrive, Google Drive, and Dropbox), those attached to emails coming from outside the organization (if the organization uses the Outlook client and Exchange servers for email), and those opened from file-sharing sites.

By blocking macros in such documents, administrators ensure that users don’t get infected when opening them, and that they have no way of enabling macros either. The document is initially opened in Protected View, but even if the user enables editing and exits Protected View, macros remain blocked and the user is safe from infection.

Administrators can enable the feature from the Group Policy Management Console, by right-clicking the Group Policy Object they want to configure and then clicking Edit. Next, they should go to User configuration in the Group Policy Management Editor, click Administrative templates > Microsoft Word 2016 > Word options > Security > Trust Center, and select Block macros from running in Office files from the Internet to configure it. 

To stay protected from macro-based malware, users are advised to leave macros disabled on documents received from unknown or untrusted sources. Enterprise administrators are advised to enable mitigations in Office to shield the organization from macro based threats, including this new macro-blocking feature, or disable macros entirely.

Related: PowerSniff Malware Attacks Abuse Macros, PowerShell

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Endpoint Security

The Zero Day Dilemma

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Endpoint Security

Gigabyte has announced BIOS updates that remove a recently identified backdoor feature in hundreds of its motherboards.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Endpoint Security

When establishing visibility and security controls across endpoints, security professionals need to understand that each endpoint bears some or all responsibility for its own...