Microsoft rolls back block Office macros by default after business backlash

by ·

For security reasons, Microsoft has long planned to disable the VBA macro feature, which is often used in corporate environments to perform repetitive tasks to reduce the time spent. But the macro function has the characteristics of writing code and can therefore also be used for many functions. In fact, the use of macro functions to carry out network attacks occurs all the time.

block Office macros

The most typical case is BEC or commercial email scams. Such email attachments usually come with malicious macros, which induce financial personnel to load and install backdoors. Therefore, disabling the macro function is not a bad thing in some aspects. After all, if the enterprise needs it, it can also be enabled by itself, and it is not completely blocked from running. In addition, what Microsoft has disabled is only the macro module of the attachment downloaded from the Internet. If the macro module is developed locally, it will not be blocked from running by default.

According to the announcement (under MC393185 or MC322553) released by Microsoft in the Microsoft 365 message center, the change of the macro function that disables network downloads by default will be withdrawn from now on. Microsoft did not explain in detail why the security change was withdrawn, but Microsoft mentioned that it received a lot of feedback after releasing the change and that Microsoft is working to improve it. Microsoft writes:

“Based on feedback, we’re rolling back this change from Current Channel. We appreciate the feedback we’ve received so far, and we’re working to make improvements in this experience. We’ll provide another update when we’re ready to release again to Current Channel. Thank you.”

In previous blogs, many companies have expressed strong dissatisfaction with the change, and companies believe that Microsoft should improve transparency and communicate with customers in a timely manner. However, Microsoft is only improving the experience rather than giving up blocking network macros, and Microsoft said it will notify administrators in advance when it is ready to release the change again.

These changes made by Microsoft are inherently researched and deliberate. The annual loss caused by the macro function has been rotten by hackers is also incalculable. Common cases include the Emotet and TrickBot malware families using macros to spread. This malware is often mixed with various types of ransomware. The transmission method is mainly phishing emails, and documents such as bills for financial personnel and new orders for sales personnel are the most common transmission medium. When these attachments are opened, a prompt will pop up to induce enterprise personnel to run the macro function. However, if the Trojan actually runs, it will run immediately and load other Trojans.

Of course, if enterprises really need to use macro functions, they should do safety training in advance. After all, a single mistake may be fatal to the enterprise. For ordinary users, it is strongly recommended to permanently disable macros.

Tags: