News
IT Pros To Get More Security Control over Office Document Macro Content
Microsoft will finally better respect IT pro decisions about macros, ActiveX content and Office add-ins in e-mailed Office documents, according to a new security policy that'll be arriving in "early February 2022."Â
This new policy for "active content" in Office documents and so-called "Trusted Documents" is getting changed for Office 365 and Microsoft 365 "Current Channel" subscribers around that time, according to a Monday Microsoft announcement. However, the policy change won't get backported to older Office apps, Microsoft indicated.
When the new policy is available next year, IT pros will be able to set a policy that will block active content in an Office document that's attached via e-mail. That policy can't be bypassed by end users, as it can now, the announcement explained:
Previously, active content was allowed to run in Trusted Documents even when an IT administrator had set a policy to block it. As part of ongoing Office security hardening, the IT administrator's choice to block active content will now always take precedence over end-user set trusted documents.
This approach is new because end users currently can opt to open documents that have active content by customizing their settings, using the Office Trust Center to do so.
Microsoft also has a "Protected View" function that lets people view content without opening the document. However, end users can still bypass a warning and open the attached document and enable things like macros, which can have malicious payloads.
Microsoft is aware of the problem, but has typically trusted end users to make such security decisions.
"Active content can provide powerful and useful functionality to users, but attackers can also use active content to deliver malware," Microsoft acknowledged in a Nov. 29-dated document describing the new policy for active content in Office documents.
Late Response from Microsoft
Microsoft's rather nonchalant attitude toward threats enabled by content like macros in Office documents is recounted in this Twitter thread by Nathan McNulty, who describes himself as a "security solutions architect." He noted a recent trend of using macros in ransomware attacks, and said the macros "still work even if you don't think you use them."
McNulty's thread prompted security researcher Kevin Beaumont, formerly of Microsoft, to point to Office macros as a sustainer, in a bad way, of the security industry, per a Nov. 29 Twitter post:
Office macros are basically the security industry, if MS replaced Protected View (the yellow bar) with something modern (e.g. risk based functions on macros in certain parts of document, e.g. autoopen) it would fix a good part of security incidents worldwide.
A May Twitter thread by McNulty presenting the notion that "there seems to be no comprehensive guidance from Microsoft on securing macros," appears to have gotten a response. Mark Simos, lead architect for the Microsoft Cybersecurity Solutions Group, responded on May 12, saying that Microsoft had "started an internal conversation to address this."
Possibly, Microsoft's Monday announcement was prompted by that conversation, although it wasn't described as such.
Gmail Scans for Office Malware
McNulty hadn't wholly condemned Microsoft's approach, but indicated that things like a feature in Office 2016 to block macros were likely little known by IT pros. He pointed to Antimalware Scan Interface protection for Excel 4.0 XLM macros (an old macro format) as another positive step forward.
However, McNulty noted that Google seems to have been ahead of Microsoft with its Gmail document scanning service, described last year, which is used to find attached documents containing malware.
"Since the new scanner launched at the end of 2019, we have increased our daily detection coverage of Office documents that contain malicious scripts by 10%," Google said back then regarding its document scanner. Google's announcement included a chart showing Office documents as constituting "56%" of attached malware cases.
Microsoft's new policy for active content in documents, coming in February 2022, will also notably include additional checks. It'll check for cloud policies, group policies and local settings "before the user designation of a trusted document is even considered." However, if IT pros ultimately disallow end users from making decisions on trusted documents, then opening such documents will get blocked under the new policy.
About the Author
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.