'This is a terrible idea': Security experts bemoan Microsoft’s backtrack on blocking VBA macros

Microsoft Office 365 image, with a magnifying glass over Microsoft Word
(Image credit: Shutterstock)

Microsoft has quietly admitted it'll re-enable Visual Basic Application (VBA) macros on Office documents, backtracking on a widely-praised move earlier this year that sought to block their use by default.

VBA macros in Microsoft Office documents have been abused by cyber criminals for years, mainly as a way to drop malware or ransomware onto enterprise networks, usually in conjunction with a phishing campaign.

Seemingly benign Office documents could carry malware that's then installed on an unwitting victim’s computer after they click an ‘enable content’ banner after opening the document that’s usually attached to an email.

Security experts from across the industry have heavily criticised Microsoft’s decision to reverse its stance on VBA macros, with figures such as Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation (EFF), saying “this is a terrible idea”.

“I've lost track of the number of campaigns I saw targeting civil society that used office macros to install malware,” she added.

“Weird decision here by Microsoft to roll back its decision to block VBA macros by default,” added Selena Larson, senior threat intelligence analyst at Proofpoint. “The change had already begun to influence threat actor behaviours to use other things.”

Earlier this week, a contributor to a Microsoft forum asked if Microsoft had reversed its stance on macros after noticing the reverted behaviour while creating an internal presentation on their company’s macro-enabled toolkit.

Replying on the thread, Angela Robertson, principal group product manager at Microsoft Office 365’s identity and security team, confirmed the rollback was happening due to community feedback indicating the change was desired.

Robertson added that Microsoft was preparing a full update for the community and the explanation of the decision will be released in time.

Other contributors in the forum thread criticised Robertson’s team for not effectively communicating the change before making it.

The individual behind the original forum post said their company was forced to pay for a digital certificate to sign their VBA macro projects and spend time ensuring their environment was set up for customers in the least inconvenient way possible, only for Microsoft to backtrack without warning.

“Rolling back a recently implemented change in default behaviour without at least announcing the rollback is about to happen is very poor product management,” they said. “I appreciate your apology, but it really should not have been necessary in the first place, it's not like Microsoft are new to this.”

IT Pro approached Microsoft for further information but it did not reply.

What are VBA macros and why did Microsoft block them?

VBA macros allow Microsoft Office document creators to add functionality to things like spreadsheets that automate manual functions. Accounting and finance teams within businesses are known to make use of them regularly.

Cyber criminals realised years ago the feature could be abused to trick users into installing malware using the same automation functionality.

A common threat vector involved criminals convincing business users to download a seemingly innocuous Office document from an email and open it while connected to their corporate network.

Upon opening the document, users would be presented with a banner prompting them to ‘enable content’. The document would be frozen and unusable until the banner prompt was accepted.


The challenge of securing the remote working employee

The IT Pro Guide to Sase and successful digital transformation


Enabling the content that was preloaded by the attacker would then lead to the document downloading and installing malware or ransomware onto the victim’s machine.

This attack is very common, according to Netskope, which concluded that macro-enabled Office documents that led to the download of malware increased 37% in 2021 versus 2020.

Joseph Carson, chief security scientist at Delinea, said the decision to disable VBA macros by default was “a huge win for security” when the announcement was first made in February this year, speaking to IT Pro at the time.

The blocking of VBA macros came into effect two months later in April 2022, and in the same week, cyber criminals were already demonstrating ways to bypass the default macros rules to drop Emotet malware and other exploit other code execution vulnerabilties.

Speaking to IT Pro at the time, Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, said that macro-enabled documents formed “a large part of the threat landscape” but threat actors will always seek new ways to infect end-users.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.