Join today’s leading executives online at the Data Summit on March 9th. Register here.
Microsoft today announced that five Office applications will block Visual Basic for Applications (VBA) macros that were obtained from the internet by default, in a move long sought after by many in the cybersecurity field.
The change will begin rolling out for Office 365 customers starting in April, and is only for Windows devices, Microsoft said in a blog post. Other versions of Office will receive the update “at a future date to be determined,” the company said.
While macros have been intended to help with automating certain tasks in Office documents, macros in email attachments have long been popular with attackers as a delivery mechanism for malware. A study from Cofense in 2018 found that malicious macros in Office documents had made up 45% of all malware delivery mechanisms.
Microsoft acknowledged the issue in its post today, saying that “bad actors send macros in Office files to end users who unknowingly enable them”—leading to the delivery of malicious payloads. “The impact can be severe including malware, compromised identity, data loss, and remote access,” Microsoft said.
In announcing the upcoming plan to disable all macros by default, Microsoft cited the many challenges that security professionals are currently facing—including cloud migrations, securing remote workers, and the ongoing pandemic.
“For the protection of our customers, we need to make it more difficult to enable macros in files obtained from the internet,” Microsoft said in the post.
Thus, “VBA macros obtained from the internet will now be blocked by default,” the company said.
The change will cover the three most-used Office apps—Word, Excel, and PowerPoint—as well as Access and Visio.
“For macros in files obtained from the internet, users will no longer be able to enable content with a click of a button,” Microsoft said. “The default is more secure and is expected to keep more users safe including home users and information workers in managed organizations.”
With the change, a “message bar will appear for users notifying them with a button to learn more,” the company said.
Microsoft’s move to disable macros by default “is a great step to stop initial access by malicious office documents,” wrote Greg Linares, research engineer at eEye Digital Security, on Twitter.
Here are the additional details on the change provided by Microsoft in its blog post:
The change will begin rolling out in Version 2203, starting with Current Channel (Preview) in early April 2022. Later, the change will be available in the other update channels, such as Current Channel, Monthly Enterprise Channel, and Semi-Annual Enterprise Channel.
At a future date to be determined, we also plan to make this change to Office LTSC, Office 2021, Office 2019, Office 2016, and Office 2013.