Microsoft Deploys Macro Blocking Feature in Office to Curb Malware

Microsoft has implemented a new feature in Office designed to curb malware and ransomware by blocking macros in enterprise environments.

If it ain’t broke, don’t fix it. If there’s one thing the recent surge in threats using macros to spread malware has shown, it’s that the vector is clearly working for attackers.

Developers at Microsoft hope a feature in the latest version of Microsoft Office will reduce the frequency of those attacks by giving administrators the ability to block macros from running on machines on their network.

While macros – a series of commands stored in documents – are disabled by default on most networks, duplicitous hackers have taken to using email subject lines having to do with invoices and HR as phishing lures to get victims to open documents and enable them.

According to a post on the company’s Threat Research and Response blog this week the new macro blocking feature can be enabled on Word, Excel, and Powerpoint – either via a Group Policy, or on an individual basis.

The feature, which can be found in Office’s Group Policy Management Console for Office 2016, allows admins to scope macro use to a set of trusted workflows, and block users’ ability to enable macros in scenarios it considers high risk. If a user attempts to enable macros in a document, they’re given a stricter notification, a red bar, warning them that macros have been disabled for security reasons.

Screen Shot 2016-03-24 at 11.01.36 AM

“This feature relies on the security zone information that Windows uses to specify trust associated with a specific location. For example, if the location where the file originates from is considered the Internet zone by Windows, then macros are disabled in the document,” the post reads.

The company claims the mechanism should help thwart attacks spread in attachments from emails sent outside the organization, from documents downloaded from storage sites, like Dropbox and Google Drive, and from documents opened from public shares.

Microsoft’s Malware Protection Center first warned of campaigns beginning to use the old school technique again back in January 2015, claiming that over the course of December 2014 infections spiked to 8,000 on some days.

Since then, the technique has flourished and attackers have begun leveraging macros in document files to drop the banking Trojan Dridex, bots like Kasidet, and as of late, ransomware like Locky. While

Earlier this year attackers working with the BlackEnergy APT group were spotted using Word documents to drop payloads on Ukrainian users. The group is no stranger to using Office files; in the past they’ve also used weaponized Excel and Powerpoint documents to trick users into spreading infections.

Screen Shot 2016-03-24 at 11.01.24 AM

According to stats from Microsoft’s Exchange Online Advanced Threat Protection service, the overwhelming majority of threats that target Office, 98 percent, are macros-based.

Taking the uptick in infections into account, the company is urging enterprise admins to turn on the macro-blocking feature if they haven’t already done so and turn off any workflows that involve macro usage.

“This is the most comprehensive mitigation that you can implement today.”

Suggested articles

Discussion

  • BT7474 on

    Using a Windows 7 upgraded to Windows 10 stand alone PC. Does this problem affect Office 2007 Package (Word, Outlook, and Excel etcetera)? Doesn't Security software such as Norton Security prevent such problems?
  • NotanameIknow on

    Cannot speak to Word 2007, but I do not see this option in the Word 2010 group policy templates. Guess it is 2016 only.
  • Anonymous on

    There are group policies for 2007 - 2013 that will allow similar Macro protection.
  • BT7474 on

    Thank you. Ironically, does it mean that the latest Microsoft's Office Application, that requires a direct debit instead of a one-off payment are less secured e.g. 365 think it is called?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.