Security Experts:

Microsoft Resumes Rollout of Macro Blocking Feature

Microsoft this week announced that it has resumed the rollout of an Office feature that will block by default macros in documents received from the internet.

Macros are small snippets of code attached to Office documents to trigger specific behavior when the documents carrying them are opened.

While they can be used to automate specific tasks, macros have been abused for malicious purposes, such as phishing and malware distribution, and Microsoft has taken steps to prevent such nefarious behavior.

In 2016, the tech giant announced that Office would block macros in documents received from the internet, displaying a yellow warning to inform users that editing is disabled.

That warning, however, is allowing users to enable editing with a single click, and threat actors have found various methods to trick users into clicking it, to allow macros to run.

At the beginning of 2022, after restricting Excel 4.0 (XLM) macros by default, Microsoft announced a new default behavior in Office, where macros would be automatically blocked, but users could no longer enable editing with a single click.

The new behavior started rolling out in April, replacing the old yellow notification with a new one, which informs users that Visual Basic for Applications (VBA) macros have been blocked in that document, and linking to an article detailing the risks associated with macros.

By changing the default behavior to make it more difficult for users to enable macros, Microsoft aims to increase the overall protections in Office and to disable a well-known attack vector.

Earlier this month, Microsoft started to roll back the change, to “enhance usability.” The company failed to announce the rollback properly, but later confirmed that it was only a temporary measure, after users started asking questions.

This week, the tech giant announced that it has resumed the rollout, and that additional resources are available for both users and administrators who want to better understand the new macro blocking feature.

“We’re resuming the rollout of this change in Current Channel. Based on our review of customer feedback, we’ve made updates to both our end user and our IT admin documentation to make clearer what options you have for different scenarios. For example, what to do if you have files on SharePoint or files on a network share,” the company says.

The updated documentation for end users explains why macros are considered dangerous and how threat actors are abusing them, while the documentation for administrators explains the default Office behavior regarding macros and how organizations can prepare for the change.

Microsoft also notes that the rollout does not affect organizations where the “Block macros from running in Office files from the Internet” policy has already been enabled or disabled.

“If you set this policy to Disabled, users will see, by default, a security warning when they open a file with a macro. That warning will let users know that macros have been disabled, but will allow them to run the macros by choosing the Enable content button,” Microsoft explains.

The macro blocking feature is being rolled out to Access, Excel, PowerPoint, Visio, and Word on Windows.

Related: Microsoft Ups Office Protections With Improved Blocking of Macros

Related: Researcher Details Sophisticated macOS Attack via Office Document Macros

Related: ZLoader Adopts New Macro-Related Delivery Technique in Recent Attacks

view counter