Menu
Microsoft adds macros lockdown feature in Office 2016 in response to increasing attacks

Microsoft adds macros lockdown feature in Office 2016 in response to increasing attacks

Enterprise administrators will be able to disable macros for documents obtained from the Internet

Enterprise system administrators can now block attackers from using a favorite malware infection method: Microsoft Office documents with malicious macros.

Microsoft this week added a new option in Office 2016 that allows administrators to block macros -- embedded automation scripts -- from running in Word, Excel and PowerPoint documents that originate from the Internet.

Microsoft Office programs support macros written in Visual Basic for Applications (VBA), and they can be used for malicious activities like installing malware. Macro viruses were popular more than a decade ago but became almost extinct after Microsoft disabled macros by default in its Office programs.

But the technique made a comeback during the past two years, as attackers have figured out they can use some clever social engineering to convince users to execute macros embedded in documents.

For example, hackers send spam emails masquerading as invoices and other business-related messages with malicious Word documents attached. When opened, the documents show a fake warning message saying the content cannot be displayed for security reasons until the user enables macros.

Both cybercriminal and cyberespionage groups currently use this technique, to the extent that Microsoft's threat data from Office 365 shows macros are involved in 98 percent of Office-related attacks.

Office has long included a setting to block macros in all documents without warning the user and offering the option to bypass the restriction. However, this is not practical for many enterprises because macros can serve a legitimate purpose and are useful for certain businesses workflows.

That's why Microsoft has now come up with a better solution: a group policy setting that administrators can use to disable macros only for Office files obtained from locations that Windows considers part of the Internet zone. This includes files downloaded from any Internet websites, including cloud storage providers like Microsoft OneDrive, Google Drive and Dropbox; documents attached to emails received from addresses outside the organization; and documents downloaded from file-sharing sites.

The new setting is called, "block macros from running in Office files from the Internet" and can be found in the group policy management editor under User configuration > Administrative templates > Microsoft Word 2016 > Word options > Security > Trust Center. It can be configured for each Office application.

When the setting is enabled, a user who attempts to open a document that contains macros will see a blocked content warning: "Macros in this document have been disabled by your enterprise administrator for security reasons." The user won't have an option to manually bypass the restriction.

"For end-users, we always recommend that you don’t enable macros on documents you receive from a source you do not trust or know, and be careful even with macros in attachments from people you do trust -- in case they’ve been hacked," researchers from the Microsoft Malware Protection Center said in a blog post.

"For enterprise administrators, turn on mitigations in Office that can help shield you from macro-based threats, including this new macro-blocking feature," they added. "If your enterprise does not have any workflows that involve the use of macros, disable them completely."


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

The making of an MSSP: a blueprint for growth in NZ

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

The making of an MSSP: a blueprint for growth in NZ
Reseller News Platinum Club celebrates leading partners in 2018

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Reseller News Platinum Club celebrates leading partners in 2018
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP has honoured its leading partners in New Zealand during 2018, following 12 months of growth through the local channel. Unveiled during the fourth running of the ceremony in Auckland, the awards recognise and celebrate excellence, growth, consistency and engagement of standout Kiwi partners.

Meet the top performing HP partners in NZ
Show Comments