Microsoft blocks Internet macros by default in Office

Microsoft announces it introduces new changes to it’s automation capabilities called active content in Office (The most common kinds are macros). If earlier users could enable them by clicking the corresponding button now they will see the Learn more button where they could learn the possible danger the received files might present and what possible solutions might be done to avoid it. While the user proceeds to the Learn more button the internet files with the macros in it will be blocked by default.

Bad actors actively exploit macros for criminal operations

The company says such steps should reduce the instances of cybersecurity breaches in companies and in home user machines as well. They explain that threat actors for the past years have been actively exploiting this useful feature in their criminal operations. By simply sending an email attachment or via some other way an internet file threat actors could successfully implement steps of the attack.

Now to open the file received from the internet user have to go to the Learn more button where they could learn how to properly open the file without putting themselves in danger. The change will affect five Office apps that run macros: Word, Visio, PowerPoint, Excel and Access. The said alteration will begin rolling out in Version 2203 with Current Channel (Preview) in early April 2022. After this it will be introduced to other update channels like Semi-Annual Enterprise Channel, Monthly Enterprise Channel and Current Channel.

Company also plans to introduce the same change to Office 2013, Office 2016, Office 2019,Office 2021 and Office LTSC. The date is yet to be determined.

“A wide range of threat actors continue to target our customers by sending documents and luring them into enabling malicious macro code. Usually, the malicious code is part of a document that originates from the internet (email attachment, link, internet download, etc.). Once enabled, the malicious code gains access to the identity, documents, and network of the person who enabled it.”
Tom Gallagher, Partner Group Engineering Manager, Office Security

Microsoft introduces changes on macros only in Windows

Macros are a useful feature of Microsoft Office apps that allow you to automate some operations done in one of these apps. For example every month you have to make a report for your accounting manager. And everytime in this report you have to do a certain same formatting of the document. But with Office macros everything can be done much easier if you simply automate some actions with the help of macros. It’s rare that a user would use them while simply editing or reading a document in Word. But threat actors employ macros to spread malware, getting remote access and stealing sensitive information.

With a new change introduced the users instead of simply allowing the internet macros to run will be presented with an information on how to enable safely the macros by saving the file and removing the Mark of the Web (MOTW). Additionally users can read about the security risks connected with bad actors using macros and also learn the safe practices to avoid phishing and malware.

Microsoft blockes Internet macros by default in Office
A message bar that displays a Security Risk showing blocked macros from the internet

The MOTW is an attribute that Windows ads to files originated from an untrusted location (Internet or Restricted Zone).The attribute is only added to files saved on an NTFS file system, not files saved to FAT32 formatted devices.

The administrators in organizations can use “Block macros from running in Office files from the Internet” policy to prevent workers from unintentionally opening files from the internet that contain possible malicious macros. Company ads that if an administrator enables this policy, the organization won’t be affected by the default change.

Microsoft blocks Internet macros by default in Office
Evaluation flow for Office files with macros and MOTW

Microsoft emphasizes the importance of enabling this policy for organizations. They say for years they’ve recommended blocking macros obtained from the internet in their security baselines. To secure customers with such a policy by default is the next step of hardening cybersecurity as Hani Saliba, Partner Director of Engineering, Office Calc expressed their opinion on the introduction of change on how macros mechanism will work now.

The other ways to know your files is safe will be next:

  • A user can open file with a digitally signed macros and provided certificate which the user then installs as a Trusted Publisher on their local machine;
  • A user can also open files from a Trusted Location.
  • Before enabling the policy for organizations Microsoft recommends for IT administrators to work previously with the business units that use macros in their Office files, such as the Finance department, and with independent software vendors (ISVs) that organization rely on who make use of macros in Office files.

    How to avoid malicious macros?

    So maybe you still wondering what you should do with that email sent a few days ago consider the following questions:

  • Pop-up message encourages you to enable active content. You downloaded a file from the internet and saw pop ups or other messages that ask you to enable active content. More than often threat actors apply such tactics to lure a user to enable an attack. These things should make you suspicious about the actual safety of a file in question;
  • A stranger asks you to enable the active content. The most common tactics of an attacker is to create some urgency in an email and attach a document, the object of the said urgency. No legitimate company will ask you to cancel an order via an Excel document and you don’t need any macros just to read a document in Word;
  • You have not expected any email even from a person you know. Maybe you received an email from someone you work with or had any previous correspondence but don’t remember you actually waited for it. Here it would be better not to open any email attachment received. Phishers expect you to do this pretending someone the victim has any connections with.
  • Also, the change won’t affect Office on the web, Office on Android or iOS devices and Office on a Mac. It will only touch the Windows based devices.

    Andrew Nail

    Cybersecurity journalist from Montreal, Canada. Studied communication sciences at Universite de Montreal. I was not sure if a journalist job is what I want to do in my life, but in conjunction with technical sciences, it is exactly what I like to do. My job is to catch the most current trends in the cybersecurity world and help people to deal with malware they have on their PCs.

    Leave a Reply

    Back to top button