VBA macros downloaded from the internet will now be blocked by default
VBA macros are a common way for malicious actors to gain access to deploy malware and ransomware. Microsoft is planning to change the default behaviors of Office to make its apps more secure now. This change will apply to Office versions dating back several years now it starts blocking Visual Basic for Applications (VBA) macros by default in a variety of Office apps. VBA Macros downloaded from the Internet will be automatically blocked in Office.
We can define macros as automatic actions that users can create in Office files. Hackers have long used them to inject malware into files sent to victims. In September, Microsoft had to patch up another major security flaw in Office and other Microsoft products.
With this change, when users open a file that came from the internet, and that file contains macros, the following message will be displayed:
The software giant announced in a blog post that it will add an extra step to enable macros in Office files downloaded from the internet. Office apps will now show users a warning message that they must go through first, instead of being activated with a single click.
However, Macros downloaded from the Internet will be automatically blocked in Office. Currently, files stored on NTFS volumes are scanned for malicious macros through a 'Zone.Identifier' tag. This so-called 'mark-of-the-web' (MOTW) ensures that file changes are disabled by default. The Mark of the Web (MOTW) attribute is added by Windows to files from an untrusted location, such as the internet or Restricted Zone. The attribute only applies to files saved on an NTFS file system, not files saved to FAT32 formatted devices.
Microsoft's Kellie Eickmeyer explains the issue:
For years Microsoft Office has shipped powerful automation capabilities called active content, the most common kind are macros. While we provided a notification bar to warn users about these macros, users could still decide to enable the macros by clicking a button. Bad actors send macros in Office files to end-users who unknowingly enable them, malicious payloads are delivered, and the impact can be severe including malware, compromised identity, data loss, and remote access.
In a significant change that will help to boost security, Microsoft says that VBA macros obtained from the internet will now be blocked by default. The company says:
For macros in files obtained from the internet, users will no longer be able to enable content with a click of a button. A message bar will appear for users notifying them with a button to learn more. The default is more secure and is expected to keep more users safe including home users and information workers in managed organizations.
In a blog post introducing the news, the company says that:
This change only affects Office on devices running Windows and only affects the following applications: Access, Excel, PowerPoint, Visio, and Word. The change will begin rolling out in Version 2203, starting with Current Channel (Preview) in early April 2022. Later, the change will be available in the other update channels, such as Current Channel, Monthly Enterprise Channel, and Semi-Annual Enterprise Channel.
The news has been well-received by the security community. Callum Roxan, Head of Threat Intelligence at security firm F-Secure says: "Any move towards security as a default, and not an option, is a real positive change. Complexity is a serious barrier to security and this change will help many organizations protect themselves. Threat actors will adapt, but macros have been a prevalent threat for a long time and this change will raise the cost and complexity for attackers".
Senior Incident Response Consultant at the company, John Rogers, adds:
This is a long-awaited change by the cyber security industry which is expected to greatly reduce the chances of harmful malware being delivered via phishing emails. However, it won't completely remove the threat. This change should not impact the small number of users who are required to run macros as a legitimate business function as it will only change the default behavior, which admins can change on a case-by-case basis. It's great to see a secure by design approach which would protect the majority of users as opposed to leaving security up to the untrained user.