Macro-based malware is on the rise and we understand it is a frustrating experience for everyone. To help counter this threat, we are releasing a new feature in Office 2016 that blocks macros from loading in certain high-risk scenarios.
Macro-based malware infection is still increasing
Macro-based malware continues its rise. We featured macro-based malware in our Threat Intelligence report last year, but infections are still increasing.
Despite periodic lulls, infections for the top 20 most detected macro-based malware were high over the past three months.
In the enterprise, recent data from our Office 365 Advanced Threat Protection service indicates 98% of Office-targeted threats use macros.
Note these are detections and not necessarily successful infections. To learn more about Advanced Threat Protection and other security features in Office 365, check out this blog and video.
The enduring appeal for macro-based malware appears to rely on a victim’s likelihood to enable macros. Previous versions of Office include a warning when opening documents that contain macros, but malware authors have become more resilient in their social engineering tactics, luring users to enable macros in good faith and ending up infected.
Block the macro, block the threat
In response to the growing trend of macro-based threats, we’ve introduced a new, tactical feature in Office 2016 that can help enterprise administrators prevent the risk from macros in certain high risk scenarios. This feature:
1.Allows an enterprise to selectively scope macro use to a set of trusted workflows.
2.Block easy access to enable macros in scenarios considered high risk.
3.Provide end users with a different and stricter notification so it is easier for them to distinguish a high-risk situation against a normal workflow.
This feature can be controlled via Group Policy and configured per application. It enables enterprise administrators to block macros from running in Word, Excel and PowerPoint documents that come from the Internet. This includes scenarios such as the following:
1.Documents downloaded from Internet websites or consumer storage providers (like OneDrive, Google Drive, and Dropbox).
2.Documents attached to emails that have been sent from outside the organization (where the organization uses the Outlook client and Exchange servers for email)
3.Documents opened from public shares hosted on the Internet (such as files downloaded from file-sharing sites).
Let’s walk through a common attack scenario and see this feature in action.
Claudia is an enterprise administrator at Contoso. After a rash of macro-based malware attacks targeting her organization, she learns of this new feature in Office 2016 and has rolled out a Group Policy update to all Office clients on the network.
Stewart is a cybercriminal looking to attack and penetrate the Contoso network. Stewart uses macro-based malware because he’s had recent successes using it. He launches his attack campaign against Contoso by targeting James, an employee there.
James receives an email from Stewart in his inbox that has an attached Word document. The email has content designed to pique James’s interest and influence him to open the attachment.
Use Group Policy to enforce the setting, or configure it individually
Administrators can enable this feature for Word, Excel, and PowerPoint by configuring it under the respective application’s Group Policy Administrative Templates for Office 2016. For example, to enable this setting for Word:
1.Open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.
2.In the Group Policy Management Editor, go to User configuration.
3.Click Administrative templates > Microsoft Word 2016 > Word options > Security > Trust Center.
4.Open the Block macros from running in Office files from the Internet setting to configure and enable it.
Final tips
For end-users, we always recommend that you don’t enable macros on documents you receive from a source you do not trust or know, and be careful even with macros in attachments from people you do trust – in case they’ve been hacked.
For enterprise administrators, turn on mitigations in Office that can help shield you from macro based threats, including this new macro-blocking feature. If your enterprise does not have any workflows that involve the use of macros, disable them completely. This is the most comprehensive mitigation that you can implement today.
