The Good
Diana (my partner at Smart Thinking Solutions) loves Microsoft Office macros and her financial Excel spreadsheets are liberally scattered with them. They automate tasks, combine data, automatically generate reports, leverage Windows PowerShell, etc, etc, etc. But she is very aware of the extra step we insist on, that she has to enable macro functionality each time she opens her document – a vital step to stop threat actors exploiting her trust and use of macro functionality.
The Bad
Threat actors soon worked out that Office macros were a really easy and effective way to deliver malware packages to victims (Microsoft, 2022). The ability to use Windows PowerShell only added to the attraction. Because the attack was going to be wrapped up in a Microsoft document, the threat actor could turn to social engineering and disguise their document as something the victim would trust, and so increase the probability that they would open the file and activate the malicious macro. The flexibility of the attack was only limited by the limits of the threat actor’s imagination.
One of the first “mass infection” computer viruses, in March 1999, The Melissa virus, was deployed by a macro in a Word document distributed by email.
The Good
Back in February, Microsoft announced that it would be disabling Office macros originating from the web and this would be a default setting for all of its Office products. I thought this was a good move, as did many other cyber security experts and system admins. It was a positive step forward in cyber security to remove the risk of a user opening a malicious Office document containing a macro designed to run automatically and deploy malware or, even worse, ransomware on a system.
For those that accepted the risk, or required this macro functionality, it could be turned back on by sys admins – companywide if required (Eickmeyer, 2022).
The Ugly
Then Microsoft did a U-turn and disabled the disabling due to user feedback – but they said this was only a temporary measure. It was reported this was because Microsoft documentation was not effective enough to support the change.
The Good – again
On 20 July 2022, Microsoft had got its documentation up to date and it turned on the disable macros function again. Admins who need to manage this can now access a range of web pages showing them the various ways to do this. The rest can enjoy the fact that the delivery of viruses and malware by Office macro has all but been killed off (Eickmeyer, 2022).
However…
We still include Office macro awareness in our cyber security training.
Turned on, turned off, there is still a risk about which your people need to be aware. Recently there was a zero-day attack, named Follina, which utilised Office macro functionality and because of a vulnerability in Microsoft Windows it could execute even if macros were turned off, without user intervention. Microsoft included patches to close this vulnerability in the Patch Tuesday release for June 2022, but as of the publication of this blog, Follina and its variants are still an active threat.
Next time…
Something about VPNs…
Clive Catton MSc (Cyber Security) – by-line and other articles
References
Eickmeyer, K. (2022). Helping users stay safe: Blocking internet macros by default in office. Retrieved November 30, 2022, from https://techcommunity.microsoft.com/t5/microsoft-365-blog/helping-users-stay-safe-blocking-internet-macros-by-default-in/ba-p/3071805
Microsoft (2022). Macro Malware. Retrieved November 30, 2022, from https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/macro-malware?view=o365-worldwide