Vulnerability Management, Threat Management

Microsoft again reverses course, will block macros by default

SYDNEY, AUSTRALIA – OCTOBER 19: People move past a Microsoft store in the Pitt Street shopping district on October 19, 2021 in Sydney, Australia. COVID-19 restrictions have eased further for fully vaccinated people across NSW this week after the state passed its 80 per cent double vaccination target. (Photo by Lisa Maree Williams/Getty Images...

Three weeks ago, Microsoft said it would pause its rollout of a new security feature loved by security experts but feared by smaller enterprises: Blocking VBA macros by default from all documents downloaded from the internet.

The pause is over.

A blog post released last week slates the rollout of the feature will begin for general users on July 27.

VBA macros provide additional programming functionality for programs like Excel. But adding code that will run when an otherwise innocuous-looking document is opened has proved to be dangerous. Macros have been a top vector for attack since the Concept malware in 1995.

"By any measure, email continues to be the prevailing vector leveraged by adversaries for initial access, leading to a wide variety of damaging cyberattacks," Brian Donohue, principal security specialist at Red Canary, told SC Media via email when the pause was first announced.

Microsoft's update will tag documents downloaded from the internet for additional user scrutiny before running macros. When such a file is opened, Microsoft will put a red banner at the top of the page saying that macros have been blocked with a link to an article explaining why they are dangerous and how to re-enable macros for the file if the user thinks they are safe.

Some enterprises, particularly smaller enterprises, were concerned that this would jam workflows without giving enterprises time to adapt.

"You'll want to identify those macros and determine what steps to take to keep using those macros. You'll also want to work with independent software vendors (ISVs) that provide macros in Office files from those locations. For example, to see if they can digitally sign their code and you can treat them as a trusted publisher," Microsoft wrote in its latest blog.

There is evidence that even just the specter of macros becoming a less effective vector has forced criminal groups to adapt.

"Emotet has used malicious macro documents for a billion years and just recently we have seen threat actors change their tactics and start using more containers, .LNK files, archive files, all that kind of stuff," Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, noted when the pause was announced. "It's truly very easy to speculate that was a response to Microsoft's original decision. So not only was the earlier decision to disable macros by people celebrated, and seen as a positive, it actually really did impact behavior."

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.