Starting in April, Microsoft plans to block macros obtained from the internet by default for several Office applications - Access, Excel, PowerPoint, Visio and Word - on devices running Windows, in an attempt to thwart cybercriminals that try to abuse macros as part of their spear-phishing attacks.
Macros are programs written in Visual Basic for Applications (VBA) that are often used to automate repetitive tasks in Microsoft Office applications. However, cybercriminals have leveraged them with the end goal of delivering various malicious payloads or stealing sensitive data. Attackers would merely need to send an email to unknowing targets with an Office attachment and convince them to enable the malicious macros. Previously, at this stage a notification bar would pop up that gave a security warning; however, the bar also gave users the option to easily ignore that warning and click a button to enable macros.
Now, Microsoft has added extra measures to that step with the goal of making this type of abuse more difficult. If users are trying to enable macros in files that are obtained from the internet, they will no longer be able to quickly choose that option with a seamless click of a button. Instead, the security warning message bar will now appear with the message: “Microsoft has blocked macros from running because the source of this file is untrusted.” The message bar will include a button to learn more, which directs end users to an article containing information about the security risks of macros, safe practices to prevent phishing and instructions on how to enable the macros.
Sean Gallagher, senior threat researcher with Sophos, said the step is “a very important move” in blocking cybercriminals from “using Office as a leaping-off point.”
“We see [abuse of macros] as a significant portion of the malware activity, especially spam-related malware leveraging documents laden with macros or with other things that reference external macros that are on the internet,” said Gallagher.
“Will this be a panacea? Absolutely not. But just because a defense isn't 100 percent protection, that doesn't mean that it's worthless, or that it shouldn't be used."
According to Microsoft in a Monday post, the change will start rolling out in Version 2203, beginning with the preview channel in early April.
Macros abuse has caused years of headaches for the security community. However, blocking macros by default was likely not an easy task for Microsoft, and probably involved dealing with the entire code base of Office as well as making sure this type of change would not break a large number of applications and cause greater problems, said Gallagher. In the future, Microsoft said they also plan to make this change to Office LTSC, Office 2021, Office 2019, Office 2016, and Office 2013.
It is important to note that Microsoft's imminent change will not entirely block macros. It will instead provide extra steps for end users that also serves as a reminder to them about the potential security concerns. Gallagher said that one concern with this approach is that cybercriminals will evolve their own attacks. The email-based attacks leveraging macros have typically used social engineering tactics. Attackers sometimes will use lures that place urgency on the end user, for instance, or hijack an existing email thread (by compromising an email account) in order to convince targets that they’re talking to someone they trust.
“My biggest concern is that the next social engineering trick will be to convince the end user that even though it says this isn’t from a trusted source, it’s still trusted,” Gallagher said. “We need to train users to not click to load the macro that has been blocked by default.”
Will Dormann, vulnerability analyst at the CERT/CC, agreed that attackers will definitely "step up their game" in response to Microsoft's security measures around macros. However, he stressed that the planned change is still “very significant.”
“It removes the easiest way to get code execution on a victim's system,” said Dormann. “Will this be a panacea? Absolutely not. But just because a defense isn't 100 percent protection, that doesn't mean that it's worthless, or that it shouldn't be used."