Microsoft has surprisingly reversed a decision to put a default block on visual basic macros embedded in downloaded Office documents. The macros are commonly used by cybercriminals to launch attacks, and the change of heart from Microsoft has left some cybersecurity experts baffled.
In February, Microsoft announced it would make macros – small programs embedded in word documents written in the visual basic coding language – more difficult to execute in documents downloaded from the web. The change had been expected to come into force in June, but a message reportedly posted by the company in the Office 365 message centre says it has been suspended.
“Based on feedback, we’re rolling back this change,” Microsoft told Office 365 users. “We appreciate the feedback we’ve received so far, and we’re working to make improvements in this experience. We’ll provide another update when we’re ready to release again to Current Channel. Thank you.”
Tech Monitor has approached Microsoft to request a fuller explanation.
Why are macros dangerous in Microsoft Office documents?
Using malicious macros embedded in documents is a popular method for cybercriminals seeking to launch phishing attacks, where victims are tricked into opening what appear to be legitimate messages or files but which actually contain malware. Widely deployed malwares such as Emotet, TrickBot and Qbot have all been spread using this method.
These macros are already blocked by default in Office programs like Word, Excel and Powerpoint when a user downloads a document from online and when announcing the change in February, Microsoft explained that it was making it even harder to activate them by removing the “one click” activation option which currently appears at the top of documents with blocked macros. Instead users would have to enable them via the document’s properties.
“We will continue to adjust our user experience for macros, as we’ve done here, to make it more difficult to trick users into running malicious code via social engineering while maintaining a path for legitimate macros to be enabled where appropriate via Trusted Publishers and/or Trusted Locations,” Tristan Davis, a partner group program manager for Microsoft Office said at the time.
What do users think of Microsoft’s decision not to block macros in Office?
Microsoft’s change of heart has left many security experts baffled. A post from the Twitter account of white hat hacking group Cryptolaemus said: “This is rather unfortunate & a step in the wrong direction,” adding that it hopes Microsoft “can resolve the problems and still roll this out.”
🤬This is rather unfortunate & a step in the wrong direction. We saw threat actors/crimeware distro start to use LNKs/ISOs/ZIPs etc again as the primary foot in the door tells us that the macro defaults matter. Hopefully Microsoft can resolve the problems & still roll this out. https://t.co/H18BY8a6d5
— Cryptolaemus (@Cryptolaemus1) July 7, 2022
Eva Galperin, director of cybersecurity for the online security organisation Electronic Frontier Foundation, said on Twitter: “This is a terrible idea. I’ve lost track of the number of campaigns I saw targeting civil society that used office macros to install malware.”
The news is likely to be a boost for ransomware gangs like Emotet, which have been exploring other options for distributing their malware as Microsoft tightened controls around macros. A report from security company ESET released earlier this month documented how the hackers behind Emotet have been abandoning Office documents and instead using LNK files as attachments to emails to spread their malware.