View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
July 8, 2022updated 21 Aug 2023 3:42pm

‘A step in the wrong direction’: Microsoft reverses block on Office macros

Macros are often used to launch malware, so Microsoft's change of heart is likely to boost cybercriminals.

By Matthew Gooding

Microsoft has surprisingly reversed a decision to put a default block on visual basic macros embedded in downloaded Office documents. The macros are commonly used by cybercriminals to launch attacks, and the change of heart from Microsoft has left some cybersecurity experts baffled.

Microsoft says it no longer plans to block potentially malicious macros in Office documents. (Photo by

In February, Microsoft announced it would make macros – small programs embedded in word documents written in the visual basic coding language – more difficult to execute in documents downloaded from the web. The change had been expected to come into force in June, but a message reportedly posted by the company in the Office 365 message centre says it has been suspended.

“Based on feedback, we’re rolling back this change,” Microsoft told Office 365 users. “We appreciate the feedback we’ve received so far, and we’re working to make improvements in this experience. We’ll provide another update when we’re ready to release again to Current Channel. Thank you.”

Tech Monitor has approached Microsoft to request a fuller explanation.

Why are macros dangerous in Microsoft Office documents?

Using malicious macros embedded in documents is a popular method for cybercriminals seeking to launch phishing attacks, where victims are tricked into opening what appear to be legitimate messages or files but which actually contain malware. Widely deployed malwares such as Emotet, TrickBot and Qbot have all been spread using this method.

These macros are already blocked by default in Office programs like Word, Excel and Powerpoint when a user downloads a document from online and when announcing the change in February, Microsoft explained that it was making it even harder to activate them by removing the “one click” activation option which currently appears at the top of documents with blocked macros. Instead users would have to enable them via the document’s properties.

“We will continue to adjust our user experience for macros, as we’ve done here, to make it more difficult to trick users into running malicious code via social engineering while maintaining a path for legitimate macros to be enabled where appropriate via Trusted Publishers and/or Trusted Locations,” Tristan Davis, a partner group program manager for Microsoft Office said at the time.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

What do users think of Microsoft’s decision not to block macros in Office?

Microsoft’s change of heart has left many security experts baffled. A post from the Twitter account of white hat hacking group Cryptolaemus said: “This is rather unfortunate & a step in the wrong direction,” adding that it hopes Microsoft “can resolve the problems and still roll this out.”

Eva Galperin, director of cybersecurity for the online security organisation Electronic Frontier Foundation, said on Twitter: “This is a terrible idea. I’ve lost track of the number of campaigns I saw targeting civil society that used office macros to install malware.”

The news is likely to be a boost for ransomware gangs like Emotet, which have been exploring other options for distributing their malware as Microsoft tightened controls around macros. A report from security company ESET released earlier this month documented how the hackers behind Emotet have been abandoning Office documents and instead using LNK files as attachments to emails to spread their malware.

Read more: Microsoft is now a cybersecurity titan. That could be a problem

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.