Experts bemoan Microsoft’s ‘terrible’ rollback on blocking VBA macros


Microsoft has quietly admitted it will re-enable Visual Basic Application (VBA) macros on Office documents, reversing a widely hailed move earlier this year that aimed to block their use by default.

VBA macros in Microsoft Office documents have been used by cybercriminals for years, primarily to drop malware or ransomware onto corporate networks, usually in conjunction with a phishing campaign.

Seemingly benign Office documents can contain malware which is then installed on an unwitting victim’s computer after clicking an “Enable Content” banner after opening the document which is usually attached to an email.

Security experts from across the industry have been highly critical of Microsoft’s decision to reverse its stance on VBA macros, with figures such as Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation (EFF), saying “It’s a terrible idea”.

“I lost track of how many campaigns I saw targeting civil society that used desktop macros to install malware,” she added.

“Strange decision here from Microsoft to reverse its decision to block VBA macros by default”, added Selena Larson, senior threat intelligence analyst at Proofpoint. “The change had already started to influence the behaviors of threat actors to use other things.”

Earlier this week, a contributor to a Microsoft forum asked if Microsoft had reversed its stance on macros after noticing the reversed behavior when creating an internal presentation about their company’s macro-enabled toolkit.

In response to the thread, Angela Robertson, Senior Group Product Manager on the Microsoft Office 365 Identity and Security team, confirmed that the rollback is happening due to community feedback indicating that change was desired.

Robertson added that Microsoft is preparing a full update for the community and that the explanation of the decision will be released in time.

Other forum thread contributors criticized Robertson’s team for not effectively communicating the change before making it.

The person who posted the original forum post said that his company was forced to pay for a digital certificate to sign his VBA macro projects and spent time making sure his environment was set up for customers in the in the least intrusive way possible, only for Microsoft to roll back without warning.

“Undoing a recently implemented change in default behavior without at least announcing that the rollback is about to happen is very poor product management,” they said. “I appreciate your apology, but it really shouldn’t have been necessary in the first place, it’s not like Microsoft is new to this.”

IT Professional approached Microsoft for more information but did not respond.

What are VBA macros and why did Microsoft block them?

VBA macros allow creators of Microsoft Office documents to add functionality to things like spreadsheets that automate manual functions. Corporate accounting and finance teams are known to use them regularly.

Cybercriminals realized years ago that this feature could be misused to trick users into installing malware using the same automation feature.

A common threat vector involved criminals tricking business users into downloading a seemingly innocuous Office document from an email and opening it while connected to their corporate network.

Upon opening the document, users would see a banner prompting them to “enable content”. The document would be frozen and unusable until the banner prompt is accepted.

Activation of the pre-loaded content by the attacker would then lead to the download and installation of malware or ransomware on the victim’s machine.

This attack is very common, according to Netskope, which found that macro-enabled Office documents that led to malware downloads increased by 37% in 2021 compared to 2020.

Joseph Carson, chief security scientist at Delinea, said the decision to disable VBA macros by default was “a huge win for security” when it was first announced in February this year. addressing IT Professional at the time.

VBA macro blocking went into effect two months later in April 2022, and in the same week cybercriminals were already showing ways to bypass default macro rules to remove Emotet malware and other vulnerabilities. code execution.

Talk to IT Professional At the time, Sherrod DeGrippo, vice president of research and threat detection at Proofpoint, said macro-enabled documents were “a big part of the threat landscape,” but threat actors will always look for new ways to infect end users.

Featured Resources

Join the 90% of companies accelerating to the cloud

Business transformation through digital modernization

Free download

On-demand delivery: Momentum builds momentum toward flexible computing

A modern digital work strategy

Free download

Modernizing the Workforce Experience

Actionable insights and an optimized experience for IT and end users

Free download

The digital workspace roadmap

A leader’s guide to strategy and success

Free download


About Author

Comments are closed.