New Update Microsoft to make it difficult to enable macros in downloaded docs

Gandalf_The_Grey

Gandalf_The_Grey

Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,262
Microsoft announced today that it will make it difficult to enable VBA macros downloaded from the Internet in several Microsoft Office apps starting in early April, effectively killing a popular distribution method for malware.

Using VBA macros embedded in malicious Office documents is a very popular method to push a wide range of malware families in phishing attacks, including Emotet, TrickBot, Qbot, and Dridex.

"VBA macros obtained from the internet will now be blocked by default. This change only affects Office on devices running Windows and only affects the following applications: Access, Excel, PowerPoint, Visio, and Word," the Microsoft Office Product Group said today.

"The change will begin rolling out in Version 2203, starting with Current Channel (Preview) in early April 2022."

After this change rolls out, Office users will no longer be able to enable macros with a click of a button after they're automatically blocked.

This will automatically thwart attacks that deliver malware on home and enterprise networks via malicious Office docs, including various information-stealing trojans and malicious tools used by ransomware gangs.

Now, until the new autoblock defaults go into effect, when Office opens a document, it checks if it is tagged with a "Mark of the Web" (MoTW), which means it was downloaded from the Internet.

If this tag is found, Microsoft opens the document in read-only mode, blocking the exploit unless users click on the 'Enable Editing' or 'Enable Content' button shown at the top of the document.

By removing these buttons, which allow users to remove the MoTW, and blocking macros from untrusted sources by default, most malicious documents will no longer be executed, stopping malware attacks abusing this weakness in their tracks.
Click to expand...
www.bleepingcomputer.com

Microsoft plans to kill malware delivery via Office macros

Microsoft announced today that it will make it difficult to enable VBA macros downloaded from the Internet in several Microsoft Office apps starting in early April, effectively killing a popular distribution method for malware.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
  • Applause
Reactions: brambedkar59, Nevi, shmu26 and 9 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,513
We will see what Microsoft means by: "VBA macros obtained from the internet". The current meaning is related to MOTW and adopted in MS Office and in Windows SmartScreen. I am afraid that this will not change. If so then this protection can still be relatively easy to bypass in phishing attacks. Anyway, it is a good move and can make people safer for some time.
 
  • Like
Reactions: brambedkar59, Nevi, EascapenMatrix and 8 others
P

plat

Level 29
Top Poster
Sep 13, 2018
1,793
Got this on my feed as I follow Marcus Hutchins. :)



Original article

While Microsoft announced earlier this year that it would block VBA macros on downloaded documents by default, Redmond said on Thursday that it will roll back this change based on "feedback" until further notice.

The company has also failed to explain the reason behind this decision and is yet to publicly inform customers that VBA macros embedded in malicious Office documents will no longer be blocked automatically in Access, Excel, PowerPoint, Visio, and Word.
Click to expand...
 
  • Like
Reactions: [correlate], Deletedmessiah, brambedkar59 and 6 others
upnorth

upnorth

Level 68
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
users have reported that they are unable to find the Unblock button to remove the Mark-of-the-Web from downloaded files, making it impossible to enable macros. Other admins felt that the decision was a problem for end-users who would find it burdensome to unblock files that they download every day, if not multiple times per day.
Click to expand...
www.bleepingcomputer.com

Microsoft rolls back decision to block Office macros by default

While Microsoft announced earlier this year that it would block VBA macros on downloaded documents by default, Redmond said on Thursday that it will roll back this change based on "feedback" until further notice.
www.bleepingcomputer.com www.bleepingcomputer.com

 
  • Like
  • +Reputation
Reactions: [correlate], Deletedmessiah, brambedkar59 and 5 others
P

plat

Level 29
Top Poster
Sep 13, 2018
1,793
According to this article, Microsoft's move to not block macros is a temporary one.

www.bleepingcomputer.com

How to auto block macros in Microsoft Office docs from the internet

With Microsoft temporarily rolling back a feature that automatically blocks macros in Microsoft Office files downloaded from the Internet, it is essential to learn how to configure this security setting manually. This article will explain why users should block macros and how you can block them...
www.bleepingcomputer.com www.bleepingcomputer.com

Since 2016, Microsoft has had a Microsoft Office group policy called 'Block macros from running Office files from the Internet that will automatically prevent macros from running on documents containing a 'Mark-of-the-Web.'

While not as pretty as the new feature that Microsoft rolled back, it performs the same functionality of blocking macros on all downloaded Office documents.

To enable this policy, you can download and install the Microsoft Office group policies and configure the 'Block macros from running Office files from the Internet' policy for each application you would like to secure.
Click to expand...
 
  • Like
  • +Reputation
  • Thanks
Reactions: [correlate], Deletedmessiah, Gandalf_The_Grey and 3 others
silversurfer

silversurfer

Super Moderator
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,114
"Following user feedback, we have rolled back this change temporarily while we make some additional changes to enhance usability," explained Kellie Eickmeyer, a principal program manager at Microsoft, in a Friday update to the February announcement.
"This is a temporary change, and we are fully committed to making the default change for all users. We will provide additional details on timeline in the upcoming weeks."
Click to expand...
www.bleepingcomputer.com

Microsoft says decision to unblock Office macros is temporary

Microsoft says last week's decision to roll back VBA macro auto-blocking in downloaded Office documents is only a temporary change.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
  • +Reputation
Reactions: [correlate], Deletedmessiah, plat and 3 others
silversurfer

silversurfer

Super Moderator
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,114
Microsoft announced today that it resumed the rollout of VBA macro auto-blocking in downloaded Office documents after temporarily rolling it back earlier this month following user feedback. The change comes after the company improved its user and admin support documentation to make it easier to understand the available options when a macro is blocked.
"Based on our review of customer feedback, we've made updates to both our end user and our admin documentation to make clearer what options you have for different scenarios," Microsoft explained in a new update in the Microsoft 365 message center.
Click to expand...
www.bleepingcomputer.com

Microsoft starts blocking Office macros by default, once again

Microsoft announced today that it resumed the rollout of VBA macro auto-blocking in downloaded Office documents after temporarily rolling it back earlier this month following user feedback.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
  • Applause
  • +Reputation
Reactions: [correlate], plat, Andy Ful and 3 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,513
From the article, it is clear that the macros will be blocked for documents with MOTW. Unfortunately, there are several methods to force documents with MOTW and without macros to deliver macro-weaponized documents without MOTW. So, this will not stop the attacks via macro-weaponized documents and will not make macros less dangerous. The infection chain will increase with one stage, so the attacks can be slightly less popular.
 
  • Like
  • Wow
Reactions: plat, Gandalf_The_Grey and [correlate]

Similar threads

lokamoka820
    • Like
    • Thanks
    • Hundred Points
New Update Microsoft Office 2024 Is Almost Here
Replies
5
Views
511
Office, email and business apps
lokamoka820
lokamoka820
silversurfer
    • Wow
    • Like
Hot Take A bug in Word deletes documents instead of saving them
Replies
2
Views
194
Office, email and business apps
Gandalf_The_Grey
Gandalf_The_Grey
silversurfer
    • Like
    • +Reputation
New Update Microsoft is adding more Copilot features to Office apps, including Python in Excel
Replies
1
Views
167
Office, email and business apps
Bot
Bot

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top