Security news that informs and inspires

Microsoft Rolls Back Strategy to Block Office Macros By Default

UPDATE -- Microsoft is temporarily rolling back its strategy around blocking macros obtained from the internet by default for several Office applications, a policy that had been widely praised by security researchers in helping to thwart cybercriminals that try to abuse macros as part of their spear-phishing attacks. In a statement, the company clarified that this is a temporary change and it is "fully committed to making the default change for all users."

"Following user feedback, we have rolled back this change temporarily while we make some additional changes to enhance usability," according to Microsoft in a Friday statement. "We will provide additional details on timeline in the upcoming weeks."

The rollback, first reported by BleepingComputer, was initially not formally announced but instead posted by a Microsoft representative in a Microsoft Tech Community forum after a Microsoft customer asked if the security change had been rolled back on the Current Channel.

Further details surrounding the rollback - including the specific reasons prompting it, the “feedback” received by customers - are scant.

Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, said the move is “puzzling to threat researchers and defenders.”

“The announcement makes no mention of why this change was rolled back,” said DeGrippo. “The original reason for disabling macro content by default was based on the clear threat landscape trend of many years by threat actors to leverage macros within Office documents to execute additional code for malicious purposes. The original decision to disable these macros was condoned, if not celebrated by the security community. It was the right thing to do.”

In an early April release of the Version 2203 Current Channel (preview), Microsoft started blocking macros obtained from the internet by default for several Office applications - Access, Excel, PowerPoint, Visio and Word - on devices running Windows. With Microsoft’s change in Version 2203, users trying to enable macros in files that are obtained from the internet would no longer be able to quickly choose that option with a seamless click of a button. Instead, the security warning message bar would appear with the message: “Microsoft has blocked macros from running because the source of this file is untrusted.” The message bar would then include a button to learn more, which directed end users to an article containing information about the security risks of macros, safe practices to prevent phishing and instructions on how to enable the macros.

"The original decision to disable these macros was condoned, if not celebrated by the security community. It was the right thing to do.”

Microsoft had also previously disclosed plans to block macros by default for Office LTSC, Office 2021, Office 2019, Office 2016, and Office 2013 “at a future date to be determined.” It’s not immediately clear whether these plans are still in place.

After Microsoft started blocking them by default, macros had still been used by cybercriminals targeting users that either relied on outdated Office versions or that had changed the default setting to explicitly enable macros; however, researchers noted that they had observed many attackers also utilizing new malware delivery methods for spear-phishing attacks - including XLL files, ISO images, Microsoft shortcut files and MSI files - that decrease their reliance on malicious macros.

According to Netskope, since February, Office documents have accounted for less than 15 percent of all malware, and have spent most of the last five months below 10 percent. For comparison, Office documents accounted for 35 percent of all malware at this time one year ago, Netskope researchers said.

“This recent rollback is a strange choice,” said DeGrippo. “We saw a clear trend from threat actors to start working around the disabled macros to leverage new techniques. It’s an easy prediction to see threat actors now moving back to their tried-and-true malicious macro document techniques.”

John Shier, senior security advisor at Sophos, said that meanwhile now Microsoft customers will be reverted to Microsoft's previous method of warning against potentially harmful content by displaying a banner on documents containing macros.

“Hopefully, Microsoft sorts out the issue that prompted the reversal, communicates why the decision was made, and finds a way to re-implement the mitigation in a way that provides the most benefit for their partners and customers,” said Shier. “Mitigations like these are a good example of how to impose costs on criminals who have too long relied on relatively easy deceptions to deploy malware.”

This article was updated on July 11 to reflect Microsoft's latest statement on the matter.