Now Microsoft Office is blocking macros by default
There’s been a bit of back and forth since the change was originally announced, but this week Microsoft started rolling out an update to Microsoft Office that blocks the use of Visual Basic for Applications (VBA) macros on downloaded documents.
Last month, Microsft was testing the new default setting when it suddenly rolled back the update, “temporarily while we make some additional changes to enhance usability.” Despite saying it was temporary, many experts worried that Microsoft might not go through with changing the default setting, leaving systems vulnerable to attacks. Google Threat Analysis Group leader Shane Huntley tweeted, “Blocking Office macros would do infinitely more to actually defend against real threats than all the threat intel blog posts.”
Now the new default setting is rolling out, but with updated language to alert users and administrators what options they have when they try to open a file and it’s blocked. This only applies if Windows, using the NTFS file system, notes it as downloaded from the internet and not a network drive or site that admins have marked as safe, and it isn’t changing anything on other platforms like Mac, Office on Android / iOS, or Office on the web.
While some people use the scripts to automate tasks, hackers have abused the feature with malicious macros for years, tricking people into downloading a file and running it to compromise their systems. Microsoft noted how administrators could use Group Policy settings in Office 2016 to block macros across their organization’s systems. Still, not everyone turned it on, and the attacks continued, allowing hackers to steal data or distribute ransomware.
Users who try to open files and are blocked will get a pop-up sending them to this page, explaining why they probably don’t need to open that document. It starts by running through several scenarios where someone might try to trick them into executing malware. If they really do need to see what’s inside the downloaded file, it goes on to explain ways to get access, which are all more complicated than what happened before, where users could usually enable macros by pressing one button in the warning banner.
This change may not always stop someone from opening up a malicious file, but it does provide several more layers of warnings before they can get there while still providing access for the people that say they absolutely need it.