Microsoft disables VBA macros by default

Microsoft's change in the default settings of five Office applications aims to shut down a widely used and longstanding threat vector to enterprises.

In a new move to improve Microsoft Office security, the software giant announced that internet macros will now be blocked by default.

Kellie Eickmeyer, principal product manager at Microsoft, published a blog post Monday detailing the default change for five Office apps to be employed during this "challenging time in software security." A massive influx of remote workers brought on by the pandemic and a "migration to the modern cloud" were two recent changes Eickmeyer cited that also provide opportunities for threat actors to infiltrate organizations.

Macros have long been considered a security risk, with many infosec vendors and experts recommending that organizations disable the feature. Currently, accessing Visual Basic Application (VBA) macros is part of Microsoft's automated capabilities. That can be risky as macros are a common place to hide malware and can lead to threats like phishing emails. Despite organizations disabling VBA macros, users could enable macros with the click of a button, despite a notification bar with a warning, according to the blog.

"Bad actors send macros in Office files to end users who unknowingly enable them, malicious payloads are delivered, and the impact can be severe including malware, compromised identity, data loss and remote access," the blog post said.

The problem dates back to the late '90s, from what has become known as the Melissa virus, a mass-mailing macro campaign that targeted Microsoft Word and Outlook-based systems. Now, business email compromises and phishing scams have skyrocketed. According to Check Point's "Brand Phishing Report" for the fourth quarter of 2021, Microsoft ranked as the second-most frequently targeted brand.

In a statement on the blog, Tom Gallagher, partner group engineering manager of Office security, said that a "wide range of threat actors continue to target" Microsoft customers by "sending documents and luring them into enabling malicious macro code."

To address this notable attack vector, users will no longer be able to enable macros in files obtained from the internet with the simple click of a button. Now, Eickmeyer said, a message bar will appear for users, notifying them with a button to learn more about the security risks and safe practices.

The blog post also offered guidance for users who choose to enable macros. One practice Eickmeyer cited is saving files to remove the "mark of the web," which she said is an "attribute added to files by Windows when it is sourced from an untrusted location" such as the internet.

In addition, Microsoft recommended that organizations use the "Block macros from running in Office files from the Internet" policy to prevent users from inadvertently opening malicious files.

In another statement on the blog, Tristan Davis, partner group program manager for the Office platform, said Microsoft will continue to "make it more difficult to trick users into running malicious code via social engineering."

Microsoft declined a request for comment about the change.

While it is unclear what spurred the decision to disable VBA macros by default now, many infosec professionals said the change is positive. Dustin Childs, communications manager of the Trend Micro Zero Day Initiative, said blocking macros will benefit the overall security for end users by reducing the attack surface.

"History has shown a user will click on any warning dialog, regardless how dire the message, just to get their document open. Restricting macros in this new manner will prevent many of these attacks from occurring," he said in an email to SearchSecurity.

In a Twitter thread Monday, Nick Carr, cyber crime intelligence lead at Microsoft, referred to the change as "major progress" and a "data-driven win for security over many other business drivers."

Security researcher Kevin Beaumont responded to Carr, calling it a "really, really good win."

On the other hand, some infosec professionals felt Microsoft should have made the move sooner. For example, Aaron Grattafiori, red team lead at Facebook, questioned the timing.

"It only took 4? straight years of escalating ransomware, and 15? years of other hacks..." he wrote on Twitter.

The change will only affect Office on devices running Windows and five applications including Access, Excel, PowerPoint, Visio and Word, according to the blog. It will begin rolling out in version 2203 in early April.

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing