The flaw was first reported to Microsoft in 2019, but at the time it said it did not consider the issue to be a vulnerability.
The H0lyGh0st ransomware group has spent the last year targeting small and medium-sized businesses - but has not yet successfully extorted ransom payments from victims, said Microsoft researchers.
Microsoft fixed the flaw as part of its regularly-scheduled update, which includes over 80 critical and important-severity bugs.
Microsoft has identified a long, widespread phishing campaign that stole session cookies to bypass MFA and led to BEC and payment fraud.
Security researchers say the choice by Microsoft to re-enable Office macros by default is "puzzling."