Microsoft: Key Office apps will block macros by default

Microsoft today announced that five Office applications will block Visual Basic for Applications (VBA) macros that were obtained from the internet by default, in a move long sought after by many in the cybersecurity field.

The change will begin rolling out for Office 365 customers starting in April, and is only for Windows devices, Microsoft said in a blog post. Other versions of Office will receive the update “at a future date to be determined,” the company said.

While macros have been intended to help with automating certain tasks in Office documents, macros in email attachments have long been popular with attackers as a delivery mechanism for malware. A study from Cofense in 2018 found that malicious macros in Office documents had made up 45% of all malware delivery mechanisms.

Microsoft acknowledged the issue in its post today, saying that “bad actors send macros in Office files to end users who unknowingly enable them,” — leading to the delivery of malicious payloads. “The impact can be severe including malware, compromised identity, data loss, and remote access,” Microsoft said.

In announcing the upcoming plan to disable all macros by default, Microsoft cited the many challenges that security professionals are currently facing — including cloud migrations, securing remote workers, and the ongoing pandemic.

“For the protection of our customers, we need to make it more difficult to enable macros in files obtained from the internet,” Microsoft said in the post.

Thus, “VBA macros obtained from the internet will now be blocked by default,” the company said.

The change will cover the three most-used Office apps — Word, Excel, and PowerPoint — as well as Access and Visio.

“For macros in files obtained from the internet, users will no longer be able to enable content with a click of a button,” Microsoft said. “The default is more secure and is expected to keep more users safe including home users and information workers in managed organizations.”

With the change, a message bar with a “learn more” button will now appear to notify users, the company said.

Protection from attacks

Microsoft’s move to disable macros by default “is a great step to stop initial access by malicious office documents,” wrote Greg Linares, research engineer at eEye Digital Security, on Twitter.

VBA macros “have been a target for hackers for over two decades,” said Ray Kelly, fellow at NTT Application Security, in an email to VentureBeat. Macros are “easy to code and run with the current users’ permissions,” he noted.

“Blocking macros by default is a good move, at the cost of inconvenience, and can potentially protect a user from ransomware or data loss,” Kelly said.

Here are the additional details on the change provided by Microsoft in its blog post:

The change will begin rolling out in Version 2203, starting with Current Channel (Preview) in early April 2022. Later, the change will be available in the other update channels, such as Current Channel, Monthly Enterprise Channel, and Semi-Annual Enterprise Channel.

At a future date to be determined, we also plan to make this change to Office LTSC, Office 2021, Office 2019, Office 2016, and Office 2013.

Cybersecurity executives applauded the move in comments to VentureBeat today — though some suggested that Microsoft should’ve acted sooner.

“This is a really positive step from Microsoft to make the switch,” said Andrew Barratt, vice president for technology and enterprise at Coalfire, via email. “This potentially shifts the focus of attackers to have to actively dupe users into downloading and running the payload.”

‘Defaults matter’

As the security industry is seeing a shift to credential compromise via email, “Microsoft should be commended for making this the default position,” Barratt said. “There could be some minor disruption for the heavy duty Excel and Word automation community, which Microsoft will no doubt pick up the cost of support for.”

An important but under-appreciated aspect of cybersecurity is that “defaults matter – and sometimes matter a lot,” said Oliver Tavakoli, chief technology officer at Vectra, in an email.

“Seemingly 50-50 decisions made by product managers at application and platform providers can expose their customers to extraordinary risk,” Tavakoli said. “As the example of VBA macros demonstrates, once such a choice has been made, it’s a difficult and lengthy process to change the default to something more secure as the fear of breaking things creates a form of institutional paralysis.”

Long overdue?

Given that VBA macros have been a threat to Office users for many years, disabling macros by default is “a great step that took Microsoft far too long to complete,” said Jon Gaines, senior application security consultant at nVisium, in an email.

When reached by VentureBeat today, a Microsoft representative said the company has no further comment beyond the announcement post.

It’s worth noting that this change by Microsoft “only affects Office files downloaded from the internet — which have already had a warning if it contains a macro,” Gaines said. “However, making it more than one click to execute the macros is a great step. That said, VBA macros are still incredibly powerful, so blue teams should continue to stay vigilant.”