Connect with us

Hi, what are you looking for?


Endpoint Security

Microsoft Resumes Rollout of Macro Blocking Feature

Microsoft this week announced that it has resumed the rollout of an Office feature that will block by default macros in documents received from the internet.

Macros are small snippets of code attached to Office documents to trigger specific behavior when the documents carrying them are opened.

Microsoft this week announced that it has resumed the rollout of an Office feature that will block by default macros in documents received from the internet.

Macros are small snippets of code attached to Office documents to trigger specific behavior when the documents carrying them are opened.

While they can be used to automate specific tasks, macros have been abused for malicious purposes, such as phishing and malware distribution, and Microsoft has taken steps to prevent such nefarious behavior.

In 2016, the tech giant announced that Office would block macros in documents received from the internet, displaying a yellow warning to inform users that editing is disabled.

That warning, however, is allowing users to enable editing with a single click, and threat actors have found various methods to trick users into clicking it, to allow macros to run.

At the beginning of 2022, after restricting Excel 4.0 (XLM) macros by default, Microsoft announced a new default behavior in Office, where macros would be automatically blocked, but users could no longer enable editing with a single click.

The new behavior started rolling out in April, replacing the old yellow notification with a new one, which informs users that Visual Basic for Applications (VBA) macros have been blocked in that document, and linking to an article detailing the risks associated with macros.

Advertisement. Scroll to continue reading.

By changing the default behavior to make it more difficult for users to enable macros, Microsoft aims to increase the overall protections in Office and to disable a well-known attack vector.

Earlier this month, Microsoft started to roll back the change, to “enhance usability.” The company failed to announce the rollback properly, but later confirmed that it was only a temporary measure, after users started asking questions.

This week, the tech giant announced that it has resumed the rollout, and that additional resources are available for both users and administrators who want to better understand the new macro blocking feature.

“We’re resuming the rollout of this change in Current Channel. Based on our review of customer feedback, we’ve made updates to both our end user and our IT admin documentation to make clearer what options you have for different scenarios. For example, what to do if you have files on SharePoint or files on a network share,” the company says.

The updated documentation for end users explains why macros are considered dangerous and how threat actors are abusing them, while the documentation for administrators explains the default Office behavior regarding macros and how organizations can prepare for the change.

Microsoft also notes that the rollout does not affect organizations where the “Block macros from running in Office files from the Internet” policy has already been enabled or disabled.

“If you set this policy to Disabled, users will see, by default, a security warning when they open a file with a macro. That warning will let users know that macros have been disabled, but will allow them to run the macros by choosing the Enable content button,” Microsoft explains.

The macro blocking feature is being rolled out to Access, Excel, PowerPoint, Visio, and Word on Windows.

Related: Microsoft Ups Office Protections With Improved Blocking of Macros

Related: Researcher Details Sophisticated macOS Attack via Office Document Macros

Related: ZLoader Adopts New Macro-Related Delivery Technique in Recent Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Endpoint Security

The Zero Day Dilemma

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Endpoint Security

When establishing visibility and security controls across endpoints, security professionals need to understand that each endpoint bears some or all responsibility for its own...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...