Microsoft says it is going to disable macros in five Office apps by default. Besides Excel 4.0 macros, which were disabled by default last month, now VBA macros obtained from the Internet will be blocked by default as well.

The change will begin rolling out in Version 2203, starting with Current Channel (Preview) in early April 2022. According to Microsoft, this significant security improvement will roll out to other Office update channels at a later date. After this change rolls out, Office users will no longer be able to enable macros with a click of a button after they’ve been automatically blocked.

VBA Macros

VBA is short for Visual Basic Application. VBA can be used to access the Windows Application Programming Interface (API). As such, macros are part of the active content options that Microsoft shipped as automation capabilities that enable users to run tasks in the background. Unfortunately, malware authors have used these capabilities to download and run malware on a large scale.

Attackers have always liked macros because they provide a simple and reliable method to spread malware using legitimate features, and without relying on any vulnerability or exploit. Emotet especially has been known to send emails that contain malicious Word documents, either attached to the email itself or downloadable by clicking on a link within the email. When a user opens one of the documents, they are prompted to enable macros so that the malicious code hidden in the Word file can run and install Emotet malware on the computer.

Blocked

With this change, untrusted macros will be blocked by default within Access, Excel, PowerPoint, Visio, and Word for any file downloaded from the Internet. Users will also no longer be able to enable content with a click of a button.

Instead, a security alert will appear:

warning message bar
SECURITY RISK Microsoft has blocked macros from running because the source of this file is untrusted. Learn More

The Learn More button goes to an article that contains information about the security risk of bad actors using macros, safe practices to prevent phishing and malware, and instructions on how to enable these macros by saving the file and removing the Mark of the Web (MOTW).

Mark of the Web

The MOTW is an attribute added to files by Windows when they have been sourced from an untrusted location, like the Internet or a Restricted Zone. Since the new warning and the block depend on this MOTW, it is important to know some more about it.

In Windows, when files are downloaded from an untrusted location, like the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier. As such, the ability to add these attributes depends on the NTFS filesystem. NTFS is the modern file system Windows likes to use by default. Since Windows XP, when you install Windows, it defaults to format your drive with the NTFS file system. But if you happen to run a FAT32 system the MOTW attribute can’t be added to a file.

There are two main strategies malware can use to circumvent the MOTW attribute. All of the techniques that we have witnessed in the wild can be categorized under these two strategies:

  • Abusing software that does not set MOTW: delivering your payload in a file format which is handled by software that does not set or propagate Zone Identifier information. This works because some cloning and archiving software does not propagate the MOTW to the clone or extracted file.
  • Abusing container formats: delivering your payload in a container format which does not support NTFS’ alternate data stream feature. For example, delivering the payload in an ISO format, a technique that has been used in the wild.

In the first scenario, an attacker will need some inside knowledge as to how the intended victim handles certain file formats, because not all archiving and cloning software removes the MOTW attribute.

Removing the MOTW

On a file per file bases users can remove the MOTW attribute in the file properties.

Unblock remove MOTW
The option to “Unblock” a file that came from an untrusted source (image courtesy Bleeping Computer)

The option to Unblock files can be found in the file properties, on the General tab, under Security. There a user can put a checkmark in the Unblock option.

Note: organizations are already able to use the Block macros from running in Office files from the Internet policy in order to prevent users from inadvertently opening files from the Internet that contain macros. Microsoft recommends enabling this policy, and if you already have this setting enabled your organization won’t be affected by this change. This option has been available since Microsoft Office 2013 and all subsequent versions.

Stay safe, everyone!