Microsoft will block macros from internet downloads by default
Microsoft will make it even more difficult for malicious Office documents to be downloaded and executed from the Internet, the company announced this week. This is a change welcomed by security professionals.
Office macros, which provide programming functions for use in common workplace documents, have been a launching pad for malicious actors since the Clinton administration. The Concept Virus first appeared in 1995. Nearly thirty years later, it’s still a problem, despite Microsoft’s earlier efforts to limit adversarial use.
“Although we provided a notification bar to notify users of these macros, users could still decide to enable macros with the click of a button. Bad actors send macros in Office files to end users who enable them unknowingly, malicious payloads are being delivered and the impact can be severe, including malware, compromised identity, data loss, and remote access,” Microsoft’s Kellie Eickmeyer wrote in a post. blog announcing new measures.
Redmond removes the Windows user’s ability to run macros in files downloaded from the Internet with a single click. Instead, the notification bar will now lead to a long article explaining why macros can be dangerous and why users should beware of macros they weren’t expecting, with instructions on how to users can re-enable macros on their document.
Documents downloaded from untrusted locations will receive a “MOTW” [Mark of the Web] attribute used to block macros. The change will first roll out to the current generation of Office, with fixes for Office LTSC, Office 2021, Office 2019, Office 2016 and Office 2013 being introduced at “a future date to be determined”.
This decision was met with enthusiasm in the cybersecurity industry.
“Thank goodness. It took about 20 years,” said Rotem Iram, CEO of cyberinsurer At-Bay. “It’s the number one way to access our customers’ networks from email. I mean, how many people use macros anyway? Why was it open by default?”
Macros remain a very common attack mechanism because users are particularly diligent about circumventing security mechanisms that they believe prevent them from doing their job.
“We are seeing a fair amount of macro-related threat vectors from nation states and cybercriminals – based on previous experience, users will find a way to enable or run malicious content if they think they need it,” said Adam Meyer, senior vice president. President of Intelligence at CrowdStrike. “That’s the essence of social engineering.”
Campaigns have been known to work instructions to enable macros into their decoys in the past and are adept at finding new ways to find a new place to hide malicious code when an old one becomes more difficult. Microsoft closes a door, but experts agree that several other windows are still wide open.
“Organizations should couple this change with ongoing anti-phishing technology, training techniques, and testing to shape vigilance and security awareness.” said Richard Fleeman, vice president of penetration testing operations at Coalfire.