Macro-Based Malware: A New Way to Fight It

Microsoft Office macros infected with malware have has been around for nearly three decades. These exploits involve inserting code into a seemingly innocuous Word or Excel macro, which is then downloaded by an unsuspecting user by clicking on a phishing lure or simply a simple misdirected attachment. This link above will take you to a more detailed explanation of how they work and why they have been so hard to stop.

The good news? We may have finally reached a milestone in the fight against this malware. Microsoft has made it a little harder for macro viruses to proliferate with a recent change to its default macro security policies. The change affects Office Windows Access, Excel, PowerPoint, Visio, and Word applications only. It is now deployed on different versions of Office.

Before we discuss what has changed, you should know that macro-type malware is still a problem. About a month ago, a new zero-day vulnerability named Follina has been reported. It leverages Word’s remote template feature and can remotely execute PowerShell commands. The name comes from the area code of an Italian city, a number that was found by researchers embedded in malware code. This will work if users download the document and run older versions of Office. Researchers have found evidence of Follina’s deployment since last October. Although technically not a macro, it is another clever way hackers use to sneak into a network.

What has Microsoft done to help protect against malicious macros?

Changes to this setting are easy to spot. If you clicked on a macro before, you received a warning like this:

But once the new setting is applied, this is what you see:

That’s fine for the default setting, but what if you still have to use legitimate macros?

An IT manager I spoke to told me that he couldn’t disable macros by default because they are used by too many people in his organization for real purposes, such as running their CRM system. This is a very typical situation, and is one of the reasons why it took Microsoft so long to fix the macro malware issue. ⁠— because they are too useful and therefore integral to the productivity of many employees.

Microsoft has two Group Policy settings to unblock macros from the Internet: the Block Execution of Macros in Office Files policy from the Internet policy and the VBA Macro Notification Settings policy. There’s still a lot of work to put in place, as policies need to be configured for each individual Office application.

So are we completely in the clear?

Not quite, as Follina illustrated. You should always be on the lookout for these instances of macro-type malware. As a general rule, don’t click on anything you get online without at least some protection installed on your computer.

Comments are closed.