Less than a month ago Microsoft announced that it would disable Excel 4.0 (XLM) macros by default, since it is a functionality that is often abused by malware distributors to do their job. Without going any further, in January it was the resource of choice for a new wave of Emotet infections.
Now, applying the same criteria, the company has just announced new measures to hinder the spread of malware: disable Visual Basic for Applications (VBA) macros in documents downloaded from the web by defaulta move that will affect all of its products, including Word, Excel, PowerPoint, Access and Visio.
Microsoft Tip: “If a file downloaded from the Internet wants you to enable macros, and you’re not sure what those macros do, you should probably delete that file”
This is an attempt by Microsoft to remove a very common attack vector, especially when introducing Trojans such as Emotet, TrickBot, Qbot and Dridex. In the words of Kellie Eickmeyer, a Microsoft employee, on the Tech Community blog:
“Cyber attackers send macros in Office files to end users who unknowingly enable them and allow them to deliver malicious payloads.” Eickmeyer adds that the consequences of this can be serious and varied: loss or leak of data, enabling remote access to our equipment, etc.
Unsuspecting users, the weak link in the chain
Although Microsoft often discourages users from allowing macros in Office files and displays banners with the warning “Microsoft has blocked macros from running because the file source is not trusted” Upon opening the document, many unsuspecting users (recipients of phishing emails, for example) end up enabling this feature.
This change is expected applies once Microsoft 365 products are updated throughout April 2022There are plans to port this feature “at future dates” to older versions of the company’s office suite: Office LTSC, Office 2021, Office 2019, Office 2016 and Office 2013.
On the other hand, if knowing this you don’t want to wait until April to change the default configuration of Office macros, you can change it by following the instructions on this Microsoft support page.
In the words of Tristan Davis, manager of the Microsoft Office platform partner program:
“We will continue to fine-tune our user experience around macros, as we have done here, to make it more difficult to trick users into running malicious code through social engineering, while maintaining a path that allows Legitimate macros are enabled where appropriate through trusted publishers and/or locations.”
Via | bleeping computer