Historically, malicious Office macros have been the equivalent of email’s phishing attempts, launching malware at the click of a user’s mouse. But Microsoft unexpectedly has reinstated VBA macros within Office after “feedback,” according to reports.
In February, Microsoft took action to block Visual Basic (VBA) macros by default. On July 7, however, Bleeping Computer unearthed evidence that Microsoft had in fact reinstated VBA macros within Office, though without informing users of the decision.
To date, Microsoft has warned users about the dangers of untrusted macros, but allowed users to download and run them by manually approving them. Previously, untrusted macros will be blocked by default within Access, Excel, PowerPoint, Visio, and Word for any file downloaded from the Internet. The change originally rolled out to Microsoft’s Current Channel of these Microsoft 365 apps beginning in April, which is where users discovered that Microsoft had altered its stance.
Editor’s Note: This story was originally filed on February 8 and has since been updated to reflect the new information. The original story continues below.
“At a future date to be determined, we also plan to make this change to Office LTSC, Office 2021, Office 2019, Office 2016, and Office 2013,” Microsoft added in a blog post Monday.
Apps like Excel can run scripts and other “active content” to automate processes and import data from outside sources. VBA can be a source of great power for Excel pros. The problem is that without downloading these macros from a trusted source, there’s really no way of telling of what they’re downloading, or what actions that code will take.
Microsoft has recognized the security issues associated with macros for some time. “The enduring appeal for macro-based malware appears to rely on a victim’s likelihood to enable macros. Previous versions of Office include a warning when opening documents that contain macros, but malware authors have become more resilient in their social engineering tactics, luring users to enable macros in good faith and ending up infected,” the company wrote in 2016.
Technically, the block will apply to macros downloaded from the Web, with what Microsoft calls with the Mark of the Web applied. The macro will still be loaded if the file comes from a trusted location, or if the macro is digitally signed, with the security certificate supplied to the user. The macro will also run if the user had previously opened the file, before this change in default behavior, and had selected Enable content from the Trust Bar, according to a Microsoft support document. In that case, the macro is considered to be trusted. That support document also details how enterprises can manage macros by policy.
Microsoft has previously put in protections in place to help manage macros, and it’s unclear whether those protections will still be in place. For example, Microsoft announced Application Guard in 2019, as a way to sandbox untrusted spreadsheets and other documents. The idea is that if an untrusted document contained malware, it would be isolated from your PC. Microsoft representatives declined to comment.