Misleading someone enabling macros in a downloaded Microsoft Excel or Word file is an old hacker’s chestnut. This one click from the target creates a foothold for attackers to take over their devices. This week, however, Microsoft announced a seemingly minor change with huge implications: starting in April, macros will be disabled by default in files downloaded from the Internet.
Macros are small pieces of software used to automate tasks such as data collection without the need to develop additional tools or applications. They can be written directly in Microsoft’s Visual Basic for Applications programming language or set up using translation tools that will turn a series of steps into a VBA macro with no coding skills required. Businesses rely heavily on them, especially those with legacy infrastructure, and they play a critical role in everything from financial services to government organizations. But as an individual Microsoft 365 user, it’s not uncommon for your only interaction with macros to be clicking that pesky “allow” button or deliberately avoiding it.
For attackers, the ability to write small programs in massive, robust applications like Excel or Word creates the opportunity to develop what are essentially macro viruses. Bad actors can also craft these programs to automatically download and run additional malware on victim devices. As a result, whether you use the feature in your daily life or not, everyone has been at risk from it for decades, which makes Microsoft’s move this week all the more important.
“A few years from now, we’ll look back on this announcement as the single biggest change Microsoft made to mitigate initial threat access,” says incident responder and former NSA hacker Jake Williams. “Your top threat actors or NSO groups around the world aren’t using this stuff anymore anyway, but it will certainly affect fraudsters, ransomware groups and other criminals.”
At least a quarter of ransomware attacks against businesses or other organizations begin with phishing attempts, which often upload a malicious document padded with tainted macros, according to Brett Callow, a threat analyst at antivirus company Emsisoft.
“I’m very happy with Microsoft’s announcement,” says Callow. “Cybercriminals, on the other hand, will be far from happy. Indeed, change was long overdue.
“We’re always working to improve security,” a Microsoft spokesperson said in a statement. “Our products currently provide a warning to all customers that requires them to click before running macros from the Internet. This new feature goes even further with an extra step to protect customers in everyday scenarios.” The company declined to say specifically why it took this step now and didn’t do it earlier.
