Application security, Vulnerability Management

Microsoft pauses once-touted macro security change

A Microsoft logo is seen during the 2015 Microsoft Build Conference on April 29, 2015, at Moscone Center in San Francisco. (Photo by Stephen Lam/Getty Images)
Microsoft is rolling back a recent change to block VBA macros by default, baffling many in the security community. Pictured: A Microsoft logo is seen during the 2015 Microsoft Build Conference on April 29, 2015, at Moscone Center in San Francisco. (Photo by Stephen Lam/Getty Images)

In a move that has baffled much of the security community, Microsoft told Office 365 administrators Thursday that it would "roll back" a default block of VBA macros downloaded from the internet.

"Based on feedback, we’re rolling back this change from Current Channel. We appreciate the feedback we’ve received so far, and we’re working to make improvements in this experience. We’ll provide another update when we’re ready to release again to Current Channel. Thank you," the Redmond, Washington, firm messaged administrators. In a separate update to the original announcement, Microsoft said this was more of a pause than a delay. "This is a temporary change, and we are fully committed to making the default change for all users." 

The feature announced in February received immediate praise in the security community. Confusion around the original announcement that the feature would be put on hold — particularly over if and what would eventually be released — received similarly quick concern.

"The general sentiment is: What good can possibly come from this," asked Sherrod DeGrippo, vice president of threat research and detection at Proofpoint. "Everyone really celebrated, or was at least positive on the decision. The decision to now reverse course is, frankly, puzzling."

Microsoft introduced VBA macros in 1993, with the first macro virus, Concept, appearing soon after in 1995. Since then, one of the most common, consistent pieces of security advice has been for users or administrators to turn off macros.

Yet, macros bring a lot of functionality and can be tough to abandon entirely. Microsoft's February announcement would have allowed administrators to split the difference; Office 365 would mark documents downloaded from the internet and, by default, show a warning page instead of running a macro in those documents.

"By any measure, email continues to be the prevailing vector leveraged by adversaries for initial access, leading to a wide variety of damaging cyberattacks. Disabling macros by default would have been majorly disruptive to adversaries, and a relatively minor disruption for IT professionals, who have the option to re-enable macros and accept the associated risks," said Brian Donohue, principal security specialist at Red Canary, via email.

Microsoft did not directly answer questions submitted by SC Media about the decision to delay their February decision, but pointed to the updated announcement.

The unfortunate thing, said DeGrippo, is that even just announcing that VBA macros would be turned off by default may have forced adversaries to change tactics. Even the sector of a change was having an effect.

"Emotet has used malicious macro documents for a billion years and just recently we have seen threat actors change their tactics and start using more containers, .LNK files, archive files, all that kind of stuff," she said. "It's truly very easy to speculate that was a response to Microsoft's original decision. So not only was the earlier decision to disable macros by people celebrated, and seen as a positive, it actually really did impact behavior."

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.