Less than a month ago, Microsoft announced that it would disable Excel 4.0 (XLM) macros by default, as it is a functionality that is often abused by malware distributors to perform his work. Without going any further, in January it was the resource of choice for a new wave of Emotet infections.
Now, applying the same criteria, the company has just announced new measures to hinder the spread of malware: disable Visual Basic for Applications (VBA) macros by default in documents downloaded from the web, a measure that will affect all its products, including Word, Excel, PowerPoint, Access and Visio.
Microsoft Tip: “If a file downloaded from the Internet wants you to enable macros, and you’re not sure what those macros do, you should probably delete that file”
This is an attempt by Microsoft to eliminate a very common attack vector, especially when it comes to introducing Trojans such as Emotet, TrickBot, Qbot and Dridex. In the words of Kellie Eickmeyer, a Microsoft employee, on the Tech Community blog:
“Cyber ??attackers send macros in Office files to end users who unknowingly enable them and allow them to deliver malicious payloads.” Eickmeyer adds that the consequences of this can be serious and varied: loss or leak of data, enabling remote access to our equipment, etc.
Excel macros: what they are, how they work and how to create them
Unsuspecting users, the weak link in the chain
Although Microsoft often discourages users from allowing macros in Office files and displays banners with the warning “Microsoft has blocked macros from running because the file source is not trusted” When opening the document, many unsuspecting users (recipients of phishing emails, for example) end up enabling this feature.
This change is expected to be applied once Microsoft 365 products are updated throughout April 2022, with plans to port this feature “at future dates” to older versions of the company office suite: Office LTSC, Office 2021, Office 2019, Office 2016 and Office 2013.
On the other hand, if knowing this you don’t want to wait until April to change the default settings for Office macros, you can change it by following the instructions on this Microsoft support page.
In the words of Tristan Davis, manager of the Microsoft Office platform partner program:
“We will continue to fine-tune our user experience around macros, as we have done here, to make it more difficult to trick users into running malicious code using social engineering, while maintaining a path that Please allow legitimate macros to be enabled where appropriate through trusted publishers and/or locations.”