Microsoft will make it even more difficult to download and run malicious Office documents from the internet, the company announced this week. It’s a change welcomed by security pros.
Office macros, which provide programming functions for use in common workplace documents, have been a launching pad for malicious actors since the Clinton administration. The Concept Virus first appeared in 1995. Nearly thirty years later, it is still a problem, despite Microsoft’s previous efforts to curb adversarial use.
“While we provided a notification bar to warn users about these macros, users could still decide to enable the macros by clicking a button. Bad actors send macros in Office files to endusers who unknowingly enable them, malicious payloads are delivered, and the impact can be severe, including malware, compromised identity, data loss, and remote access,” Microsoft’s Kellie Eickmeyer wrote in a blog post announcing new measures.
Redmond is taking away Windows user’s ability to run macros in files downloaded from the internet in a single click. Instead, the notification bar will now lead to a lengthy article explaining why macros can be dangerous and why users should be skeptical of macros they were not expecting to receive that contains instructions on how users can re-enable macros on their document.
Documents downloaded from untrusted locations will be given a “MOTW” [Mark of the Web] attribute used to block macros. The change will first roll out in the current generation of Office, with fixes for Office LTSC, Office 2021, Office 2019, Office 2016, and Office 2013 being introduced at “a future date to be determined.”
The move was met with enthusiasm across the cybersecurity industry.
“Thank God. It took like 20 years,” said Rotem Iram, CEO of cyber insurer At-Bay. “This is the number one way to get into our customer’s networks from within email. I mean, how many people use macros anyway? Why was it open by default?”
Macros remain a very common mechanism for attacks because users are particularly diligent in circumventing security mechanisms they think are preventing them from doing their jobs.
“We see a fair amount of macro-related threat vectors from nation-states and e-criminals – based on previous experience users will find a way to enable or run malicious content if they think they need it,” said Adam Meyer, senior vice president for intelligence at CrowdStrike. “This is the essence of social engineering.”
Campaigns have been known to work instructions to enable macros into their lures in the past and are adept to find new ways to find a new place to hide malicious code when an old one becomes more difficult. Microsoft is closing a door, but experts agree several other windows are still wide open.
“Organizations should pair this change with ongoing anti-phishing technology, training techniques, and testing to shape vigilance and security mindfulness.” said Richard Fleeman, vice president of penetration testing ops at Coalfire.