Search the Community
Showing results for tags 'macros'.
Karlston posted a news in Security & Privacy NewsEarlier this month, Microsoft surprised its customers with a sudden U-turn regarding its plans to block VBA macros in popular Office apps. Shortly afterward, the company clarified that it plans to reinstate the new policy after making "some additional changes to enhance usability." Now Microsoft is once again ready to start blocking Office internet macros by default. The software giant has updated its documentation with clear step-by-step instructions explaining what the end user can do with a blocked macro. With the new rules in place, users will see a security warning notification when trying to open an Office file with a macro coming from the internet. The message will show a "Learn More" button linked to a support page describing risks related to opening files with VBA macros. Also, the article provides information about enabling macros in case the user trusts the file. You can access the support page via this link. Microsoft says negative user feedback caused the company to temporarily undo the changes and consider providing better information about such a drastic change in Office applications. The new documentation now provides all the information users and IT admins need to understand how Office determines whether to block or run macros in files from the internet, which Office versions are affected by the new rules, how to allow VBA macros in trusted files, and how to prepare for the change. Microsoft plans to start blocking VBA macros in Office Access, Excel, PowerPoint, Visio, and Word in the Current Channel from July 27, 2022 (Office version 2206 and newer). The idea behind the decision is to eliminate an attack surface that bad actors exploit to infect systems with malware and ransomware. Microsoft will soon start blocking Office macros once again
Karlston posted a news in Security & Privacy NewsWhile Microsoft announced earlier this year that it would block VBA macros on downloaded documents by default, Redmond said on Thursday that it will roll back this change based on "feedback" until further notice. The company has also failed to explain the reason behind this decision and is yet to publicly inform customers that VBA macros embedded in malicious Office documents will no longer be blocked automatically in Access, Excel, PowerPoint, Visio, and Word. "Based on feedback, we're rolling back this change from Current Channel," the company notified admins in the Microsoft 365 message center (under MC393185 or MC322553) on Thursday. "We appreciate the feedback we've received so far, and we're working to make improvements in this experience. We'll provide another update when we're ready to release again to Current Channel. Thank you." The change began rolling out in Version 2203, starting with Current Channel (Preview) in early April 2022, with general availability to be reached in June 2022, as BleepingComputer previously reported. This was a welcome and highly expected change, given that VBA macros are a popular method to push a wide range of malware strains (including Emotet, TrickBot, Qbot, and Dridex) via phishing attacks with malicious Office document attachments. With VBA macros blocked by default, everyone was expecting attacks that delivered malware (such as information-stealing trojans and malicious tools used by ransomware groups) to be automatically thwarted. On systems where VBA macros aut0blocking is enabled, customers see a "SECURITY RISK: Microsoft has blocked macros from running because the source of this file is untrusted" security alert. If clicked, the warning sends users to an article containing information about the security risks behind threat actors' use of Office macros and instructions on enabling these macros if absolutely necessary. Mockup of new Office macros security alert (BleepingComputer) Confused users asking for an explanation, more transparency Microsoft's customers were the first to notice that Microsoft rolled back this change in the Current Channel on Wednesday, with the old 'Enable Editing' or 'Enable Content' buttons shown at the top of downloaded Office documents with embedded macros. "Is it just me or have Microsoft rolled this change back on the Current Channel?" one Microsoft Office user asked in the comments of Microsoft's February blog post announcing that VBA macros will be disabled. "It feels like something has undone this new default behaviour very recently... maybe Microsoft Defender is overruling the block?" "Based on feedback received, a rollback has started. An update about the rollback is in progress," replied Angela Robertson, a Principal GPM for Identity and Security on the Microsoft 365 Office team. "I apologize for any inconvenience of the rollback starting before the update about the change was made available." Another customer complained about Microsoft's "lack of communication" after announcing this change and asked the company to share more info on this rollback "elsewhere." "Your standard SMB and even mid-sized businesses are going to implode if this gets fully implemented in it's current form," the customer said. "You seem to be catering to enterprises now that have very large teams of people to manage your products, and that's simply not the case for most of the user base. It needs to be simplified before it's released, and moreso, it needs to be effectively communicated." "Rolling back a recently implemented change in default behaviour without at least announcing the rollback is about to happen is very poor product management," another added. While Microsoft has not shared the negative feedback that led to the rollback of this change, users have reported that they are unable to find the Unblock button to remove the Mark-of-the-Web from downloaded files, making it impossible to enable macros. Other admins felt that the decision was a problem for end-users who would find it burdensome to unblock files that they download every day, if not multiple times per day. A Microsoft spokesperson was not immediately available for comment when BleepingComputer reached out earlier today. Microsoft rolls back decision to block Office macros by default
Karlston posted a news in Security & Privacy NewsMicrosoft will soon begin disabling Excel 4.0 XLM macros by default in Microsoft 365 tenants to protect customers from malicious documents. Excel 4.0 macros, or XLM macros, were first added to Excel in 1992 and allowed users to enter various commands into cells that are then executed to perform a task. Malicious XLS document with obfuscated Excel 4.0 macro While VBA macros were introduced in Excel 5.0, threat actors continue to XLM macros twenty years later in malicious documents that download malware or perform other unwanted behavior. Malicious campaigns utilizing Excel 4.0 XLM macros include ones for malware, such as TrickBot, Qbot, Dridex, Zloader, and many more. Due to their continued abuse, Microsoft has been recommending users switch from and disable Excel 4.0 XLM macros for years in favor of VBA macros. This recommendation is because VBA macros support the Antimalware Scan Interface (AMSI), which can be used by security software to scan macros for malicious behavior. To disable Excel 4.0 macros, Windows admins can use group policies to disable the feature, and users can disable it via the Excel Trust Center using the Enable XLM macros when VBA macros are enabled setting. Enable XLM macros when VBA macros are enabled in Excel Trust Center Microsoft to disable Excel 4.0 macros in all tenants Instead of waiting for organizations to disable XLM macros on their own, Microsoft announced yesterday that they would be disabling Excel 4.0 macros by default starting in October in preview builds and then moving onto the current channel in November. "We are introducing a change to the Excel Trust Center Macro settings to provide a more secure experience for users by default. This new default behavior will disable Excel 4.0 macros," explained an advisory in the Microsoft 365 message center. Microsoft will begin disabling Excel 4.0 macros in all tenants using this rollout schedule: Insiders-Slow: will rollout in late October and be complete in early November. Current Channel: will rollout in early November and be complete in mid-November. Monthly Enterprise Channel (MEC): will begin and complete rollout in mid-December. Microsoft will not be making any changes for users who have manually configured this setting or configured it via group policies. When the change rolls out, the Enable XLM macros when VBA macros are enabled setting will be unchecked by default, which disables XLM macros. Microsoft states that users who wish to enable XLM macros after this rollout has finished can do so in the Excel Trust Center. Microsoft is disabling Excel 4.0 macros by default to protect users