Microsoft Once Again Blocks Malicious Macros in Office

Microsoft this week said they are once again reverting back to blocking Visual Basic Application (VBA) macros in Office.

This marks a return to a previous decision after the company initially reversed its policy on blocking the harmful macros earlier this month. While Microsoft has not given any indication why the initial policy rule of macro blocking was shortly reversed, it broke down its decision to finalize the policy in a blog post.

"VBA macros are a common way for malicious actors to gain access to deploy malware and ransomware. Therefore, to help improve security in Office, we're changing the default behavior of Office applications to block macros in files from the Internet."

Microsoft initially announced the blocking of VBA macros in February in Access, Excel, PowerPoint, Visio and Word. The company made the switch during an April update, then earlier this month users started to notice that the blocking of macros by default was no longer turned on. Microsoft then shortly responded with the following statement:

Following user feedback, we have rolled back this change temporarily while we make some additional changes to enhance usability. This is a temporary change, and we are fully committed to making the default change for all users.

This week's return of the policy will now block potentially harmful macros and will display a security risk warning. Here's how Microsoft will determine what may be a harmful macro:

[Click on image for larger view.] Figure 1. How Office determines whether to run macros in a file from the Internet.

Microsoft said some may experience a false security risk flag if a file on an organization's intranet is identified as not being trusted. In those situations Microsoft recommends that IT designate internal locations and networks as Trusted sites or a Local intranet zone.

Currently, those with Office Version 2203 (rolled out in April) and Office 365 Version 2206 (released in June) will have macros blocked by default. Microsoft said a decision for the policy rolling out to those on the Monthly Enterprise, Semi-Annual Enterprise and Semi-Annual Enterprise (Preview) channels has yet to be determined.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.


comments powered by Disqus

Subscribe on YouTube