Microsoft to (finally) block macros to stop malware

Microsoft will remove the one-click method of enabling macros from April. Image credit: NCSC

Image:
Microsoft will remove the one-click method of enabling macros from April. Image credit: NCSC

Threat groups often hide malware behind macros in innocent-seeming documents, but Microsoft's proposed change should make that route less effective

Microsoft has announced that it will begin blocking Visual Basic for Applications (VBA) macros by default in a variety of Office apps from April 2022 - making it more difficult for threat groups to remotely install malware via compromised documents.

The change will affect Office documents that are downloaded from the internet and contain macros.

Once the new functionality comes into effect, Office users will no longer be able to enable macros with a single click of a button. While it will still be possible to turn macros on, the simple confirmation pop-up that exists today will go the way of the dodo. Instead, users will see a message bar informing them that macros are blocked, alongside an option to learn more.

"For the protection of our customers, we need to make it more difficult to enable macros in files obtained from the internet," said Kellie Eickmeyer, a principal PM at Microsoft.

VBA macros are powerful automation tools that can add functionality to Microsoft Office. However, hacking groups often abuse them to distribute harmful payloads like ransomware to unsuspecting users.

The current model, where users can enable macros with a single click, has led to a situation where criminals know they can include macros in Office files that appear genuine to users. In many cases unsuspecting users enable macros without thinking, enabling hackers to deliver payloads and launch cyber attacks.

Users will still be able to enable macros after Microsoft's upcoming change, though the process will require more input: they will have to navigate through additional layers, limiting the chance of accidental activation.

'The [new] default is more secure and is expected to keep more users safe including home users and information workers in managed organisations,' Microsoft said.

For now, the functionality will be limited to the installations of Office running on Windows machines, and will at first be applied to World, Excel, PowerPoint, Access and Visio.

The change will be previewed starting in April in Office version 2203, before it is made available in other update channels, such as Current Channel, Monthly Enterprise Channel, and Semi-Annual Enterprise Channel.

Microsoft also plans to implement this change to Office LTSC, Office 2021, Office 2019, Office 2016, and Office 2013 in the future.