Microsoft confirms VBA macro backtrack is only "temporary"

The Microsoft logo as seen in large print fixed onto a glass building
(Image credit: Shutterstock)

Microsoft has said its reported unblocking of VBA macros for Office documents is only a temporary measure and they will be blocked again soon by default.

Security experts were quick to criticise Microsoft after the news broke last week that it would be reversing the change it announced in February, one that was greeted overwhelmingly positively at the time.

In a Friday update to the company’s original announcement blog post, Microsoft explained that the rollback of the default VBA macro block was a temporary measure taken while it makes changes to increase usability.

“This is a temporary change, and we are fully committed to making the default change for all users,” it added.

Microsoft has not detailed the timeline for when it expects to re-enable the default block on VBA macros, but plans to provide additional details “in the upcoming weeks”.

Why did Microsoft backtrack?

Angela Robertson, principal group product manager at Microsoft Office 365’s identity and security team, replied to a user on a Microsoft support forum last week explaining that the company’s heralded new stance on VBA macros was going to be reversed.

The company said in February that it would block them by default for five Office apps - news that was greeted warmly by the community, albeit a move many deemed to be long overdue.

Robertson explained that the decision was made following user feedback and that a more detailed explanation would be reaching the community soon.


Which is the best way to acquire your IT?

Purchase, lease or consumption-based IT solutions


It’s still unclear what the feedback was to prompt the decision, but Office macros are often used to automate highly manual functions in files such as spreadsheets, and various company departments use them to streamline their workflows.

The issue with VBA macros is that the feature is often abused in phishing attacks. A typical scenario would see a cyber criminal send a specially crafted document to an unwitting victim, encouraging them to download and open the document, such as an Excel file.

The victim would be greeted by a familiar user interface but in order to interact with the document, they would have to click a button in a ribbon to ‘enable content’. This would then trigger a download and installation of malware or ransomware, in a typical attack scenario.

Microsoft’s decision to disable VBA macros by default came into effect in April and experts said the change “had already begun to influence threat actor behaviours to use other things”.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.