View all Business
View all Cloud
View all Hardware
View all Infrastructure
View all Security
View all Software
View all Technology
Microsoft has announced it will disable all Visual Basic Application (VBA) macros obtained from the internet in Office documents by default in a bid to tackle widespread exploitation of the method used for malware and ransomware delivery.
Cyber security experts have long called on Microsoft to change its approach to VBA macros and the move has been greeted positively by nearly all corners of the industry. The default setting will be applied to five Microsoft Office products – Word, Excel, Powerpoint, Visio, and Access – and will start rolling out to Windows users in April 2022 with the Version 2203 update via the Current Channel (preview).
The change will be available in other update channels at an unspecified later date, including in Current Channel, Monthly Enterprise Channel, and Semi-Annual Enterprise Channel. Office LTSC, Office 2021, Office 2019, Office 2016, and Office 2013 will also eventually all receive the update.
VBA macros are commonly used in Microsoft office products to automate repeat manual functions and are especially commonplace in industries like accounting and finance to expedite tasks in spreadsheets, for example.
Cyber attackers are also commonly drawn to the feature to facilitate the launch of cyber attacks or distribute malware, a technique most commonly used in phishing attacks. A common scenario would see an attacker send a phishing email to an individual's work account containing a seemingly innocuous Office document attached.
Once the document is downloaded and opened, the user would be presented with a document with a notification in the toolbar providing the user to 'enable content' which would see the macro run and whatever malicious payload associated with it downloaded and installed.
Figures from Netskope's January Cloud Threat Report revealed that the use of Microsoft Office documents related to malware downloads increased to 37% by the end of 2021, compared to 19% at the start of 2020.
"A wide range of threat actors continue to target our customers by sending documents and luring them into enabling malicious macro code," said Tom Gallagher, partner group engineering manager at Office Security. "Usually, the malicious code is part of a document that originates from the internet (email attachment, link, internet download, etc.). Once enabled, the malicious code gains access to the identity, documents, and network of the person who enabled it."
Microsoft is changing the default behaviour of macros in five Office applications so that users will no longer be able to enable them with one click of a mouse. Instead, users will now be presented with a button encouraging them to click and learn more about the potential impacts of enabling macros, and what malicious ones can achieve on a corporate network.
"The default is more secure and is expected to keep more users safe including home users and information workers in managed organisations," Microsoft said.
The cyber security community has come out in droves to support the move from Microsoft, a move that some corners of the industry have requested for some time. As recently as the weekend, the topic resurfaced on social media with experts calling for a change in approach to macros.
At some point you recognize some features just aren't safe enough to leave enabled by defaultSomeone on the Windows team understood that and made a difficult choiceSomeone on the Office team needs to be replaced with someone who can understand and make a difficult choice
Malware campaigns launched through phishing attacks are typically the chief exploiters of VBA macros, such as the newly resurfaced Emotet campaign which relies on the method as a key entry point. Experts believe the move is expected to reduce the number of cyber attacks in businesses significantly.
"The implications of turning Macros off by default is a huge win for security as it significantly reduces the potential victim scope of macro-based attacks for cybercriminals," said Joseph Carson, chief security scientist at Delinea to IT Pro.
"In the past, we relied heavily on users to make security decisions on macros with a warning – this can potentially reduce the risks from curious employees who may just accept the warning and run the macro that could result in stolen credentials or a fully compromised machine. The issue lies in how quickly organisations can upgrade to this version as office upgrades can typically take a long time, though at least those who have moved to cloud solutions should benefit sooner."
Other experts have said malicious macros account for "about 25% of all ransomware entry" – a figure they describe as "conservative" mostly related to larger ransomware organisations like the ones most recently targeted by international law enforcement.
Some corners of the industry have raised concerns about how easily it will be for businesses to enforce the new default rules for Office documents given the entrenched culture of macros use in certain industries.
Security experts have said certain users who rely on macros for significant areas of their job, such as accountants, will likely complain to IT departments asking for the default to be reverted back to the one-click functionality of before, despite the risks.
The best defence against ransomware
How ransomware is evolving and how to defend against it
Others disagree, saying the difference will only add a small layer of friction to normal processes. Magni Reynir Sigurðsson, senior manager of detection technologies at Cyren said: "this will not affect industries that rely on documents using macros, they will just have to take the extra step of enabling them file by file for specific files they do trust".
"For those industries that heavily rely on macros such as financial or accounting industries, the hope is that Microsoft will, at last, make it simple enough for individuals to turn it on for on-demand purposes on approved documents and scanned documents," added Carson.
There are a number of policies available to system administrators who wish to enable the new macro settings in a custom way, one that's suitable for their business. Such policies include:
The image above outlines the evaluation flow for Office files with VBA macros and Mark of the Web (MOTW) – an attribute added to files by Windows when it is sourced from an untrusted location.
Administrators can read more about how the change impacts the environments in Microsoft's dedicated article for Office admins.
Big data for finance
How to leverage big data analytics and AI in the finance sector
Ten critical factors for cloud analytics success
Cloud-native, intelligent, and automated data management strategies to accelerate time to value and ROI
Remove barriers and reconnect with your customers
The $260 billion dollar friction problem businesses don't know they have
The future of work is already here. Now’s the time to secure it.
Robust security to protect and enable your business
How to secure your hybrid workforce
The human brain is far more complex than AI researchers imagine
Why collaboration is key to digital transformation
ITPro is part of Future plc, an international media group and leading digital publisher. Visit our corporate site www.futureplc.com
© Future Publishing Limited, Quay House, The Ambury, Bath BA1 1UA. All rights reserved. England and Wales company registration number 2008885
Microsoft disables VBA macros in Office by default following years of complaints – IT PROMicrosoft disables VBA macros in Office by default following years of complaints – IT PRO https://eliteenterprisesoftware.com/wp-content/uploads/2022/09/wp-header-logo-915.png 0 0 Alan Dickson https://secure.gravatar.com/avatar/6162a8bbc0c962bebd372efbc1908402?s=96&d=mm&r=g
View all Business