Microsoft blocks Internet macros by default in five Office applications

In one of the most impactful changes made in recent years, Microsoft today announced that it will by default ban the execution of VBA macro scripts within five Office applications.

Beginning in early April 2022, users of Access, Excel, PowerPoint, Visio, and Word will no longer be able to enable macro scripts inside untrusted documents they downloaded from the Internet.

The change, which security researchers have been calling for years, is expected to pose a serious obstacle to malware gangs, which have relied on tricking users into enabling the execution of a macro script as a way to install malware on their systems.

In these attacks, users usually receive a document via email or are asked to download it from a website on the Internet. When the file is opened, the attacker usually leaves a message that instructs the user to enable the macro script to be executed.

While users with some technical and cybersecurity knowledge may be able to recognize this as a lure for malware infection, many daily Office users are still unaware of this technology and end up following the instructions provided, effectively infecting themselves with malware.

macro document
Photo: Fortinet

Dealing with this issue has been a thorn in Microsoft’s foot since VBA macro scripts are often used within companies to automate certain processes and tasks when opening certain files, such as importing data and updating content within a document from dynamic sources.

Since the early 2000s, Microsoft has attempted to address this issue by showing a mild security warning in the form of a toolbar at the top of the document, but this warning also contained controls that allow users to execute macro scripts.

Previous VBAMacros
Photo: Microsoft

After this change is rolled out to end users, this warning will change to display a red alert bar notifying the user that the document contains macros but that cannot be enabled for security reasons.

VBAMacrosBlockedTrustBar
Photo: Microsoft

Microsoft announced its plans today in a blog post on its tech community portal. The blog post also contains a description of the logic that the five Office applications will follow when deciding whether to allow or block the execution of macro scripts within a document.

VBA- Macros
Photo: Microsoft

Microsoft said the decision to block VBA macros by default only affects Access, Excel, PowerPoint, Visio, and Word on Windows. Documents containing VBA macros that are created and obtained from within the organization’s trusted network will still be allowed to run.

“The change will begin in version 2203, starting with Current Channel (Preview) in early April 2022,” Microsoft said today.

“Later, the change will be available in other update channels, such as Current Channel, Monthly Enterprise Channel, and Semi-Annual Enterprise Channel.”

The change will be rolled out to all Microsoft 365 customers and the operating system manufacturer said it also plans to roll back the change to other Office versions, such as Office LTSC, Office 2021, Office 2019, Office 2016, and Office 2013.

Once completed, this step will affect the distribution of a large number of strains of commodity malware, as well as numerous financial and politically motivated spying campaigns; However, these processes are likely to continue using other techniques.

Previously, Microsoft also blocked the execution of Excel 4.0 (XLM) macros after similar abuse by malware gangs.

Catalin Simbano is a cybersecurity reporter for The Record. Previously, he worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his ongoing areas of new vulnerabilities, cyberattacks, and law enforcement actions against hackers.