Update Microsoft to make it difficult to enable macros in downloaded docs


Level 61
Thread author
Top poster
Content Creator
Apr 24, 2016
Microsoft announced today that it will make it difficult to enable VBA macros downloaded from the Internet in several Microsoft Office apps starting in early April, effectively killing a popular distribution method for malware.

Using VBA macros embedded in malicious Office documents is a very popular method to push a wide range of malware families in phishing attacks, including Emotet, TrickBot, Qbot, and Dridex.

"VBA macros obtained from the internet will now be blocked by default. This change only affects Office on devices running Windows and only affects the following applications: Access, Excel, PowerPoint, Visio, and Word," the Microsoft Office Product Group said today.

"The change will begin rolling out in Version 2203, starting with Current Channel (Preview) in early April 2022."

After this change rolls out, Office users will no longer be able to enable macros with a click of a button after they're automatically blocked.

This will automatically thwart attacks that deliver malware on home and enterprise networks via malicious Office docs, including various information-stealing trojans and malicious tools used by ransomware gangs.

Now, until the new autoblock defaults go into effect, when Office opens a document, it checks if it is tagged with a "Mark of the Web" (MoTW), which means it was downloaded from the Internet.

If this tag is found, Microsoft opens the document in read-only mode, blocking the exploit unless users click on the 'Enable Editing' or 'Enable Content' button shown at the top of the document.

By removing these buttons, which allow users to remove the MoTW, and blocking macros from untrusted sources by default, most malicious documents will no longer be executed, stopping malware attacks abusing this weakness in their tracks.

Andy Ful

Level 81
Top poster
Dec 23, 2014
We will see what Microsoft means by: "VBA macros obtained from the internet". The current meaning is related to MOTW and adopted in MS Office and in Windows SmartScreen. I am afraid that this will not change. If so then this protection can still be relatively easy to bypass in phishing attacks. Anyway, it is a good move and can make people safer for some time.