Microsoft resumes blocking Office VBA macros by default after ‘temporary pause’


Microsoft has officially resumed blocking Visual Basic for Applications (VBA) macros in Office apps by default, weeks after the temporary announcement of plans to roll back the change.

“Based on our assessment of customer feedback, we have made updates to both our End User and our IT Administrator documentation to make it clearer what options you have for different scenarios,” the company says said in an update on July 20.

Earlier in February, Microsoft announced its plans to disable macros by default in Office applications such as Access, Excel, PowerPoint, Visio and Word as a way to prevent threats from abusing the feature to deliver malware.

It is a well-known fact that a majority of malicious cyber attacks today use email-based phishing lures to distribute fake documents containing malicious macros as the primary vector of first access.

“Macros can add a lot of functionality to Office, but they are often used by people with bad intentions to spread malware to unsuspecting victims,” ​​the company says. notes in its documentation.

By disabling the option by default for any Office file downloaded from the Internet or received as an email attachment, the aim is to eliminate a whole class of attack vectors and prevent the activities of malware such as Emotet, IcedID, Qakbot and to upset Bumblebee.

However, Microsoft backtracked on the change in the first week of July, telling The Hacker News that it is pausing the rollout of the feature to make additional usability improvements.

In the intervening months since it began previewing the tweaks in April, the tech giant’s decision to block macros has had a ripple effect of its own, causing opponents to tweak their campaigns to resort to alternative distribution methods like .LNK and . ISO files.

That said, using malicious macros as an entry point to trigger the infection chain is not limited to just Microsoft Office.

Last week, HP Wolf Security marked an “unusually stealthy malware campaign” that uses OpenDocument text files (.odt) to distribute malware targeting the hotel industry in Latin America.

The documentsattached with fake booking request emails, prompt recipients to enable macros, resulting in the execution of the AsyncRAT malware payload.

“The detection of malware in OpenDocument files is very poor,” said security researcher Patrick Schläpfer. “OpenDocument file structure is not as well analyzed by antivirus scanners as it is often used in malware campaigns.”

“Many email gateways would warn about more common file types containing multiple linked documents or macros, but OpenDocument files are not retrieved and blocked this way – meaning protection and detection fail in the first stage.”