New Update Microsoft to make it difficult to enable macros in downloaded docs

Gandalf_The_Grey

Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,345
Microsoft announced today that it will make it difficult to enable VBA macros downloaded from the Internet in several Microsoft Office apps starting in early April, effectively killing a popular distribution method for malware.

Using VBA macros embedded in malicious Office documents is a very popular method to push a wide range of malware families in phishing attacks, including Emotet, TrickBot, Qbot, and Dridex.

"VBA macros obtained from the internet will now be blocked by default. This change only affects Office on devices running Windows and only affects the following applications: Access, Excel, PowerPoint, Visio, and Word," the Microsoft Office Product Group said today.

"The change will begin rolling out in Version 2203, starting with Current Channel (Preview) in early April 2022."

After this change rolls out, Office users will no longer be able to enable macros with a click of a button after they're automatically blocked.

This will automatically thwart attacks that deliver malware on home and enterprise networks via malicious Office docs, including various information-stealing trojans and malicious tools used by ransomware gangs.

Now, until the new autoblock defaults go into effect, when Office opens a document, it checks if it is tagged with a "Mark of the Web" (MoTW), which means it was downloaded from the Internet.

If this tag is found, Microsoft opens the document in read-only mode, blocking the exploit unless users click on the 'Enable Editing' or 'Enable Content' button shown at the top of the document.

By removing these buttons, which allow users to remove the MoTW, and blocking macros from untrusted sources by default, most malicious documents will no longer be executed, stopping malware attacks abusing this weakness in their tracks.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,538
We will see what Microsoft means by: "VBA macros obtained from the internet". The current meaning is related to MOTW and adopted in MS Office and in Windows SmartScreen. I am afraid that this will not change. If so then this protection can still be relatively easy to bypass in phishing attacks. Anyway, it is a good move and can make people safer for some time.
 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
Got this on my feed as I follow Marcus Hutchins. :)



Original article

While Microsoft announced earlier this year that it would block VBA macros on downloaded documents by default, Redmond said on Thursday that it will roll back this change based on "feedback" until further notice.

The company has also failed to explain the reason behind this decision and is yet to publicly inform customers that VBA macros embedded in malicious Office documents will no longer be blocked automatically in Access, Excel, PowerPoint, Visio, and Word.
 

upnorth

Level 68
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
users have reported that they are unable to find the Unblock button to remove the Mark-of-the-Web from downloaded files, making it impossible to enable macros. Other admins felt that the decision was a problem for end-users who would find it burdensome to unblock files that they download every day, if not multiple times per day.

 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
According to this article, Microsoft's move to not block macros is a temporary one.


Since 2016, Microsoft has had a Microsoft Office group policy called 'Block macros from running Office files from the Internet that will automatically prevent macros from running on documents containing a 'Mark-of-the-Web.'

While not as pretty as the new feature that Microsoft rolled back, it performs the same functionality of blocking macros on all downloaded Office documents.

To enable this policy, you can download and install the Microsoft Office group policies and configure the 'Block macros from running Office files from the Internet' policy for each application you would like to secure.
 

silversurfer

Super Moderator
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,177
"Following user feedback, we have rolled back this change temporarily while we make some additional changes to enhance usability," explained Kellie Eickmeyer, a principal program manager at Microsoft, in a Friday update to the February announcement.
"This is a temporary change, and we are fully committed to making the default change for all users. We will provide additional details on timeline in the upcoming weeks."
 

silversurfer

Super Moderator
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,177
Microsoft announced today that it resumed the rollout of VBA macro auto-blocking in downloaded Office documents after temporarily rolling it back earlier this month following user feedback. The change comes after the company improved its user and admin support documentation to make it easier to understand the available options when a macro is blocked.
"Based on our review of customer feedback, we've made updates to both our end user and our admin documentation to make clearer what options you have for different scenarios," Microsoft explained in a new update in the Microsoft 365 message center.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,538
From the article, it is clear that the macros will be blocked for documents with MOTW. Unfortunately, there are several methods to force documents with MOTW and without macros to deliver macro-weaponized documents without MOTW. So, this will not stop the attacks via macro-weaponized documents and will not make macros less dangerous. The infection chain will increase with one stage, so the attacks can be slightly less popular.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top