In April, Microsoft dealt a huge blow to malicious malware operations by blocking VBA macros on downloaded documents by default. Security researchers and blue team defenders everywhere rejoiced, while red teams and attackers wept. But now Microsoft has decided to do a 180 and undo the change, enabling VBA macros once again.

The reason behind this rollback is still unknown. We suspect this change was reverted due to some amount of businesses relying on macros for automated data processing. Or perhaps too many end-users found it burdensome to unblock files downloaded multiple times per day. According to Microsoft, this decision was “based on the feedback of customers,” though Microsoft has not shared the exact negative feedback that motivated the rollback. However, users have reported publicly that they were unable to find the “Unblock” button to remove the “Mark of the Web” from downloaded files, which effectively made unblocking macros impossible. 

How Macros Work and Why They Can be Dangerous

Macros, which allow users to automate frequently-used formatting settings, are a holdover from the days of legacy Office. The scripting interface available in newer Office solutions didn’t yet exist, so automating settings meant relying on external tools or writing in Visual Basic for Applications (VBA), an embedded language implementation of Visual Basic 6 (VB6). 

Macros make use of this fully-integrated language, which is capable of automatically running code when a document is opened, and which uses functions calling out to the standard VB6 library. Given these features, it’s clear how macros have led to abuse. 

The initial viruses delivered from macros were mostly harmless or annoying viruses designed to self-spread through desktop email clients and removable media like floppy disks. However, this slowly changed when the internet became mainstream and virus makers realized there was profit to be made in exploiting macros. 

VBA macros are among the most popular entry points for malware operations.  Among these are Melissa, Emotet, TrickBot, Qbot, Concept, and thousands more used in phishing attacks. Attackers don’t need to bring their A-game zero days and exploit packs when they can simply embed a macro in a document, obfuscate it against anti-virus products, and watch the shells come raining in. Malicious actors realized that while it may be difficult to get a target to open an executable file, getting them to open an Office document is far easier, as it’s something they do every day.

A Long-awaited Feature

This now-canceled feature has been highly anticipated and was expected to reach widespread availability in June. It covered Access, Excel, PowerPoint, Visio, and Word applications in the cloud, and traditional versions of Office: Office 365, Office 2021, Office 2019, Office 2016, and Office 2013 for Windows (macOS, iOS, Android, and web versions not included).

If the blocking of VBA macros were indeed implemented, it would be a game changer. This would force attackers to adapt to the new landscape without the easy code execution methods that have worked for decades. 

The disabling of macros would only affect documents obtained from “untrusted” sources as denoted by the NTFS file systems alternative file stream “Mark of the Web”, which is automatically given to files obtained from the internet. This is generally a “good enough” marker that the file probably shouldn’t be executing code on a system. If Microsoft had followed through and kept this new feature, the end user would see a warning when opening up a macro-enabled document downloaded from an untrusted source. It would have a big “SECURITY WARNING” and a link explaining the dangers of loading untrusted macros.

The Big Picture

For now, Microsoft has left unsuspecting users unprotected. Hackers are once again free to send malicious Office documents with VBA scripts (provided they put in some minimal effort to avoid AV detection). These attacks rely on a lack of understanding from the end user about what macros can do. Combined with pretexts such as documents claiming to be from Microsoft, or claiming one must “Enable macros to decrypt the document”, a lot of users will continue getting fooled.

The education of users is important, and anyone who works with company IT should understand the risks of macro-enabled documents. It may not seem like a big deal, but while a company’s external security posture may be robust, its internal security is rarely so certain. Assumed levels of trust exist once inside a physical local network, but users must learn to remain vigilant. 

While there is no silver bullet for security, there are a number of things that can be done to protect you or your company. The first is to look into disabling macros entirely if the business doesn’t use them. This can be done for enterprises through a Group Policy Object (GPO), or for end users through registry changes or Office settings. Further details on disabling macros can be found with Microsoft.