Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

Microsoft Confirms Temporary Rollback of Macro Blocking Feature

Microsoft has confirmed that the recent rollback of a feature related to the blocking of internet macros in its Office suite is only temporary.

Microsoft has confirmed that the recent rollback of a feature related to the blocking of internet macros in its Office suite is only temporary.

Since 2016, Office has been blocking macros in documents arriving from the Internet, displaying a yellow warning to the user, informing them that editing has been disabled and allowing them to enable editing – and thus macros – with a single click.

In January 2022, Microsoft announced that Excel 4.0 (XLM) macros would be restricted by default, and in February the tech giant changed the default Office behavior regarding macros: in documents arriving from the internet, users could no longer enable macros with a single click.

Specifically, Microsoft replaced the yellow notification with a new one to inform users that Visual Basic for Applications (VBA) macros in the document had been blocked. The notification also featured a “Learn more” button leading to an article containing information on the risks associated with macros.

Instead of allowing users to immediately enable macros, the article would explain that the Mark of the Web (MOTW) on documents arriving from the internet could be removed once the document was saved to a trusted location.

While the new default behavior was meant to prevent users from enabling potentially dangerous macros, Microsoft rolled back the change recently, to “improve user experience.”

An administrator working on a guideline for their employees noticed that Office was no longer displaying the new alert and commented on Microsoft’s February announcement to ask about the rollback.

As it turns out, Microsoft indeed had decided to roll back the feature, but said nothing about it, thus creating confusion.

“Following user feedback, we have rolled back this change temporarily while we make some additional changes to enhance usability. This is a temporary change, and we are fully committed to making the default change for all users,” Microsoft notes in an update to the February announcement.

Administrators can still enable specific Group Policy settings to block macros in Office documents that arrive from the internet, the tech giant notes.

Microsoft wasn’t clear on when the new default will return to Office. The change affects Access, Excel, PowerPoint, Visio, and Word applications.

Related: Microsoft Ups Office Protections With Improved Blocking of Macros

Related: Researcher Details Sophisticated macOS Attack via Office Document Macros

Related: ZLoader Adopts New Macro-Related Delivery Technique in Recent Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.