Gandalf_The_Grey
Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
- Apr 24, 2016
- 7,345
Microsoft announced today that it will make it difficult to enable VBA macros downloaded from the Internet in several Microsoft Office apps starting in early April, effectively killing a popular distribution method for malware.
Using VBA macros embedded in malicious Office documents is a very popular method to push a wide range of malware families in phishing attacks, including Emotet, TrickBot, Qbot, and Dridex.
"VBA macros obtained from the internet will now be blocked by default. This change only affects Office on devices running Windows and only affects the following applications: Access, Excel, PowerPoint, Visio, and Word," the Microsoft Office Product Group said today.
"The change will begin rolling out in Version 2203, starting with Current Channel (Preview) in early April 2022."
After this change rolls out, Office users will no longer be able to enable macros with a click of a button after they're automatically blocked.
This will automatically thwart attacks that deliver malware on home and enterprise networks via malicious Office docs, including various information-stealing trojans and malicious tools used by ransomware gangs.
Now, until the new autoblock defaults go into effect, when Office opens a document, it checks if it is tagged with a "Mark of the Web" (MoTW), which means it was downloaded from the Internet.
If this tag is found, Microsoft opens the document in read-only mode, blocking the exploit unless users click on the 'Enable Editing' or 'Enable Content' button shown at the top of the document.
By removing these buttons, which allow users to remove the MoTW, and blocking macros from untrusted sources by default, most malicious documents will no longer be executed, stopping malware attacks abusing this weakness in their tracks.
Microsoft plans to kill malware delivery via Office macros
Microsoft announced today that it will make it difficult to enable VBA macros downloaded from the Internet in several Microsoft Office apps starting in early April, effectively killing a popular distribution method for malware.
www.bleepingcomputer.com