Microsoft rolls back the Office macros blocking until further notice

Microsft stops the plan to block malicious macros by default

There are no other details why Microsoft decided not to implement automatic Office macro blocking feature yet

Microsft has announced before that VBA macros on downloaded documents will be blocked by default. However, it was recently stated that it will roll back this feature implementation based on feedback, and it is not sure when this can become a real change.^[1] There are no explanations and reasons behind this decision or public report. It was first addressed that malicious macros will be blocked automatically in Access, Excel, PowerPoint, Visio, and Word.^[2]

The note was released to admins in Microsoft 365 message center, and the company stated that the feedback received so far encouraged them to roll back the change. No particular dates or timelines were released, and other updates should be ready later on, according to them.

This was a wanted and expected change because VBA macros are a popular method that is used to distribute various malware strains. These are infections like major Emotet and TrickBot or Qbot that use phishing attacks,^[3] and these file attachments with malicious Office documents as the main vector to spread malware for further campaigns and access on the machine.

The promising change was awaited

The VBA macro blocking by default feature was the one that everyone expected to help with cyber attacks that used these macros to spread information-stealing malware, malicious tools, trojans, and ransomware. When the system has this VBA autoblocking enabled, customers see the alert “SECURITY RISK: Microsoft has blocked macros from running because the source of this file is untrusted”. This is the alert that informs about the security risk behind the threat of Office macros.

This rollback from changes raised much more questions from users and caused confusion due to a lack of transparency. Microsoft's customers noticed the change in buttons shown at the top of downloaded Office documents with embedded macros. This indicated the rollback first.^[4]

This lack of communication from Microsoft raise complaints from people because the announcement of the change was also made briefly without explanations. The tech giant did not share the negative feedback that led to this rollback of the promised changes other comments state that Unblock button that helps to remove the Mark-of-the-Web from downloaded files has been missing. Despite these comments and feedback after the decision, Microsoft says that the company has nothing else to say about this.

The danger of malicious macro usage

Threat actors create various spam campaigns to pretend to deliver invoices, invites, payment information, and other details like shipping and voicemails via these emails. Messages can be posing as official companies, government agencies, and other organizations to trick people into downloading files attached to these messages and open files, enabling those malicious macros.

Word or Excel attachments, and links to these documents once opened enable the malicious macro and install the malware on the targeted computer. Eeven though the document requires users to click Enable Editing or Enable Content button, users do that without thinking and allow malware on the machine. Threat actors manage to trick people into clicking these buttons.

One of the most dangerous threats using these methods includeDridex malware, Emotet, QakBot, and many more information stealers. One of these – TrickBot malware recently made some changes.^[5] Operators have resorted ti targeting Ukraine since the war started in late February 2022. The malware released at least six phishing campaigns aimed at targets aligning with Russian state interests.