Microsoft rolls back a default macro block in Office

A new Office security restriction that was a major blow to phishing and malware distribution via email has apparently been rolled back.

Microsoft has decided to wind back a new-ish security restriction in Office that was heralded a “game changer” for the cybersecurity industry because it would block a favorite – and effective – technique used by crooks to distribute phishing and malware threats in email. 

Since April, Microsoft has blocked by default VBA macros obtained from the internet in Office apps on devices running Windows. The in-scope apps included Excel, PowerPoint, Visio, and Word.

SEE: Best Windows laptop 2022: Top notebooks compared

Microsoft kicked off the macro block in the Current Channel (preview) of Office on Windows with the intention to roll it out to other Office distribution channels, including Monthly Enterprise, Semi-Annual Enterprise Channels and the Long Term Servicing Channel version of Office. The feature was rolled out to the Current Channel. 

But, via Bleeping Computer, Microsoft on Thursday informed admins that it was rolling back the change with no other explanation for the decision beyond it was “based on feedback”. 

“Based on feedback, we’re rolling back this change from Current Channel,” Microsoft told admins in the Microsoft 365 message center on Thursday.   

However, Microsoft does appear to suggest the roll back is temporary, telling Microsoft 365 admins: “We’re working to make improvements in this experience. We’ll provide another update when we’re ready to release again to Current Channel. Thank you.”

The move caught Office admins by surprise. One user commenting on Microsoft’s February blogpost announcing the feature asked: “Is it just me or have Microsoft rolled this change back on the Current Channel?”

“Based on feedback received, a rollback has started,” Microsoft employee Angela Robertson wrote. “An update about the rollback is in progress. I apologize for any inconvenience of the rollback starting before the update about the change was made available.”

ZDNet has asked Microsoft why it decided to roll back the feature and will update the story if it provides a response. 

UK cybersecurity expert Kevin Beaumont in February called the macro block “potentially a game changer for the cybersecurity industry, and, more importantly customers” because macros account for about a quarter of all initial access incidents for ransomware deployments. 

Beaumont was shocked Microsoft had rolled back the feature without informing customers. 

“The single most impactful change Microsoft could have made to radically improve a real world cybersecurity issue in their own back garden (that they directly profit from) was rolled back without even being communicated,” he wrote on Twitter.     

“This is a terrible idea,” wrote Eva Galperin, director of cybersecurity for the Electronic Frontier Foundation. “I’ve lost track of the number of campaigns I saw targeting civil society that used office macros to install malware.”

Most people don’t use macros, but some business units and organizations rely heavily on the Visual Basic for Applications (VBA) macro scripts or “active content” to automate repetitive tasks in spreadsheets and documents. Ahead of the rollout, Microsoft warned finance departments and independent software vendors in particular to change how they use macros. 

SEE: These are the cybersecurity threats of tomorrow that you should be thinking about today

For years, Office has by default disabled macros from running. When users receive an email with an Office attachment embedded with a macro, Office displays a notification bar that warns users of the security risks of running these macros.  

But users can enable macros by clicking a button, which attackers have dreamed numerous ways of tricking users into doing. For example, once a user downloads a malicious Excel document with a macro, the text in the document claims the file is “protected” by Microsoft and that to view the content the user must enable macros.    

Microsoft in December detailed how advanced cybercrime groups like Qakbot have used exactly this kind of trickery to get their VBA macros and legacy Excel 4.0 macros to run and from there deliver ransomware or information-stealing malware.  

Hence, the default block on all Office macros from the internet, which was expected to create a major obstacle to delivering malware through malicious email attachments. It was a step up from a “tactical” change Microsoft introduced in Office 2016 that let admins “selectively scope macro use to a set of trusted workflows” and “block easy access to enable macros in scenarios considered high risk.” Back then Microsoft said that 98% of Office-targeted threats use macros.

The newer default VBA macro block presented a red warning and a clickable “learn more” button when users open an attachment or download an untrusted file from the internet containing macros. 

The “learn more” button leads to a Microsoft page explaining how macros are used by people with bad intentions and at the bottom of the page, behind a drop down arrow about unblocking macros, is an explanation for how to manually enable macros.   

With the auto block enabled, Windows adds a Mark of the Web (MOTW) attribute to Office files sourced from the internet. Admins can remove the MOTW manually. Microsoft has details about how to do this in its document for the feature.     

One commenter on Microsoft’s blog criticized the company for its lack of communication about the roll back, but also how it communicated the auto block in the first place. They also point out that the current implementation of the block on macros using MOTW is too complicated for small and medium businesses (SMBs).