Update July 11: In an update to the original blog post announcing the blocking of VBA macros by default, Microsoft said the rollback is temporary while additional changes are made to enhance visibility.
“This is a temporary change, and we are fully committed to making the default change for all users,” Microsoft says in the update.
Customers can still choose to block internet macros through Group Policy settings. Additional details will be provided in the coming weeks, the company says.
The headline and other parts of this article have been updated to reflect the update.
Original story: Microsoft is rolling back a feature that blocked visual basic application (VBA) macros by default in Office, saying only that the change is due to feedback.
As reported by BleepingComputer and others, the VBA macro-blocking feature that was first announced by Microsoft in February and released to the Current Channel in April is being reversed “based on feedback” received from users.
“We appreciate the feedback we’ve received so far, and we’re working to make improvements in this experience. We’ll provide another update when we’re ready to release again to Current Channel. Thank you,” the company posted on July 6 to a document page on the macro-blocking feature.
Microsoft notified admins with a similar message in the Microsoft 365 message center Thursday, BleepingComputer reports. The feature, which began rolling out in April, blocks VBA macros by default for five Office apps that run macros, including Access, Excel, PowerPoint, Visio and Word on devices running Windows.
At the time, Microsoft said the change would start with Current Channel (preview) in Version 2203, and then be rolled out to other update channels. The change was also expected to be made to Office LTSC, Office 2021, Office 2019, Office 2016 and Office 2013.
Per the Microsoft 365 roadmap, which was updated on Thursday, general availability is now slated for September.
The security feature went a step further than simply presenting users with a notification bar to warn them about these macros, but users could still decide to enable them by clicking a button, Microsoft says.
Microsoft’s now rolled-back setting would send the user a message bar in the event of a download or attachment of an untrusted Office file containing macros, explaining that the file contains VBA macros and was blocked.
“Bad actors send macros in Office files to end users who unknowingly enable them, malicious payloads are delivered, and the impact can be severe including malware, compromised identity, data loss, and remote access,” the Microsoft wrote in the blog.
Users had the ability to click the “Learn More” button to read an article about the security risk of macros and safe practices, as well as instructions on how to enable these macros by saving the file and removing the Mark of the Web (MOTW), which is an attribute added to files when it is sourced from an untrusted location.
Calling the move “unfortunate and disappointing,” Ian McShane, vice president of strategy at Arctic Wolf, says disabling Office macros by default would have been a “huge step forward” for securing a common attack path that is leveraged by notorious malware such as Qakbot and Emotet.
Security teams now need to be on high alert now that this attack path is open once again, McShane says.
“This attack path has been a well-known problem for decades and unfortunately, the approach to mitigating the risk of macros has always been on the end user, rather than fix at the source,” McShane says. “I would be prepared for a spike in macro based cyber attacks, now that this attack path has been made easier again.”
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply