IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

'This is a terrible idea': Security experts bemoan Microsoft’s backtrack on blocking VBA macros

Experts express bewilderment over the decision to reverse the long-overdue macro block, as fears mount that cyber criminals can take advantage

Microsoft has quietly admitted it'll re-enable Visual Basic Application (VBA) macros on Office documents, backtracking on a widely-praised move  earlier this year that sought to block their use by default.

VBA macros in Microsoft Office documents have been abused by cyber criminals for years, mainly as a way to drop malware or ransomware onto enterprise networks, usually in conjunction with a phishing campaign.

Seemingly benign Office documents could carry malware that's then installed on an unwitting victim’s computer after they click an ‘enable content’ banner after opening the document that’s usually attached to an email.

Security experts from across the industry have heavily criticised Microsoft’s decision to reverse its stance on VBA macros, with figures such as Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation (EFF), saying “this is a terrible idea”.

“I've lost track of the number of campaigns I saw targeting civil society that used office macros to install malware,” she added. 

“Weird decision here by Microsoft to roll back its decision to block VBA macros by default,” added Selena Larson, senior threat intelligence analyst at Proofpoint. “The change had already begun to influence threat actor behaviours to use other things.”

Earlier this week, a contributor to a Microsoft forum asked if Microsoft had reversed its stance on macros after noticing the reverted behaviour while creating an internal presentation on their company’s macro-enabled toolkit.

Replying on the thread, Angela Robertson, principal group product manager at Microsoft Office 365’s identity and security team, confirmed the rollback was happening due to community feedback indicating the change was desired.

Robertson added that Microsoft was preparing a full update for the community and the explanation of the decision will be released in time.

Other contributors in the forum thread criticised Robertson’s team for not effectively communicating the change before making it.

The individual behind the original forum post said their company was forced to pay for a digital certificate to sign their VBA macro projects and spend time ensuring their environment was set up for customers in the least inconvenient way possible, only for Microsoft to backtrack without warning.

“Rolling back a recently implemented change in default behaviour without at least announcing the rollback is about to happen is very poor product management,” they said. “I appreciate your apology, but it really should not have been necessary in the first place, it's not like Microsoft are new to this.”

IT Pro approached Microsoft for further information but it did not reply.

What are VBA macros and why did Microsoft block them?

VBA macros allow Microsoft Office document creators to add functionality to things like spreadsheets that automate manual functions. Accounting and finance teams within businesses are known to make use of them regularly.

Cyber criminals realised years ago the feature could be abused to trick users into installing malware using the same automation functionality.

A common threat vector involved criminals convincing business users to download a seemingly innocuous Office document from an email and open it while connected to their corporate network. 

Upon opening the document, users would be presented with a banner prompting them to ‘enable content’. The document would be frozen and unusable until the banner prompt was accepted.

Related Resource

The challenge of securing the remote working employee

The IT Pro Guide to Sase and successful digital transformation

Whitepaper cover featuring a man and woman reflected by a wall of computer screensFree Download

Enabling the content that was preloaded by the attacker would then lead to the document downloading and installing malware or ransomware onto the victim’s machine.

This attack is very common, according to Netskope, which concluded that macro-enabled Office documents that led to the download of malware increased 37% in 2021 versus 2020.

Joseph Carson, chief security scientist at Delinea, said the decision to disable VBA macros by default was “a huge win for security” when the announcement was first made in February this year, speaking to IT Pro at the time.

The blocking of VBA macros came into effect two months later in April 2022, and in the same week, cyber criminals were already demonstrating ways to bypass the default macros rules to drop Emotet malware and other exploit other code execution vulnerabilties.

Speaking to IT Pro at the time, Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, said that macro-enabled documents formed “a large part of the threat landscape” but threat actors will always seek new ways to infect end-users.

Featured Resources

The Total Economic Impact™ Of Turbonomic Application Resource Management for IBM Cloud® Paks

Business benefits and cost savings enabled by IBM Turbonomic Application Resource Management

Free Download

The Total Economic Impact™ of IBM Watson Assistant

Cost savings and business benefits enabled by Watson Assistant

Free Download

The field guide to application modernisation

Moving forward with your enterprise application portfolio

Free Download

AI for customer service

Discover the industry-leading AI platform that customers and employees want to use

Free Download

Recommended

Microsoft blocking Tutanota users from Teams registration, claims fix unfeasible
Business operations

Microsoft blocking Tutanota users from Teams registration, claims fix unfeasible

8 Aug 2022
Microsoft wins five-year digital transformation deal with Australia’s largest telco
digital transformation

Microsoft wins five-year digital transformation deal with Australia’s largest telco

26 Jul 2022
Slack Connect vs Microsoft Teams Connect: Better than email?
collaboration

Slack Connect vs Microsoft Teams Connect: Better than email?

20 Jul 2022
Microsoft announces simulator for autonomous aircraft development
Cloud

Microsoft announces simulator for autonomous aircraft development

20 Jul 2022

Most Popular

Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
The benefits of a hardware update for SMBs
Sponsored

The benefits of a hardware update for SMBs

2 Aug 2022