Thursday, April 18, 2024

Microsoft reverses course, again, will block macros by default

Three weeks ago, we reported that Microsoft said it would pause its rollout of a new security feature loved by security experts but feared by smaller enterprises: Blocking VBA macros by default from all documents downloaded from the internet.

The pause is over.

A blog post released last week slates the rollout of the feature will begin for general users on July 27.

VBA macros provide additional programming functionality for programs like Excel. But adding code that will run when an otherwise innocuous-looking document is opened has proved to be dangerous. Macros have been a top vector for attack since the Concept malware in 1995.

“By any measure, email continues to be the prevailing vector leveraged by adversaries for initial access, leading to a wide variety of damaging cyberattacks,” Brian Donohue, principal security specialist at Red Canary, told SC Media via email when the pause was first announced.

Microsoft’s update will tag documents downloaded from the internet for additional user scrutiny before running macros. When such a file is opened, Microsoft will put a red banner at the top of the page saying that macros have been blocked with a link to an article explaining why they are dangerous and how to re-enable macros for the file if the user thinks they are safe.

Some enterprises, particularly smaller enterprises, were concerned that this would jam workflows without giving enterprises time to adapt.

“You’ll want to identify those macros and determine what steps to take to keep using those macros. You’ll also want to work with independent software vendors (ISVs) that provide macros in Office files from those locations. For example, to see if they can digitally sign their code and you can treat them as a trusted publisher,” Microsoft wrote in its latest blog.

Recommended:  Finnish Intel warns of Russia’s cyberespionage activities

There is evidence that even just the specter of macros becoming a less effective vector has forced criminal groups to adapt.

“Emotet has used malicious macro documents for a billion years and just recently we have seen threat actors change their tactics and start using more containers, .LNK files, archive files, all that kind of stuff,” Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, noted when the pause was announced. “It’s truly very easy to speculate that was a response to Microsoft’s original decision. So not only was the earlier decision to disable macros by people celebrated, and seen as a positive, it actually really did impact behavior.”


Suggest an edit to this article

Go to Cybersecurity Knowledge Base

Got to the Latest Cybersecurity News

Go to Cybersecurity Academy

Go to Homepage

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
ClosePlease login
Just your average information security researcher from Delaware US.
User Avatar
Latest posts by RiSec.Mitch (see all)
Recommended:  “Huge flaw” threatens US emergency alert system, DHS researcher warns
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

User Avatar
Just your average information security researcher from Delaware US.

more infosec reads

Subscribe for weekly updates