Microsoft is making it tougher for enterprises to fall victim to macro-based attacks that prey on Office users. A new policy-setting feature in Office 2016 allows administrators to block macros from untrusted sources.
Office macros are sharable bits of code that are meant to automate mundane and repetitive tasks, allowing users to save time while working on Microsoft Word, Excel and PowerPoint files. Naturally, malware authors had other plans.
Macro-based malware continues to be a thorn in the side of IT personnel tasked with securing their organizations’ systems. According to data from Microsoft’s own Office 365 Advanced Threat Protection service, 98 percent of threats targeting Office in the enterprise employ macros.
Microsoft has tried to mitigate the threat with the Protected View feature in Word, Excel and PowerPoint. Available since Office 2010, Protected View is a sandboxed version of a given document that disables macros and other potentially unsafe content. It generates a warning message, but users still have the option to enable editing, which opens the file using the software’s full capabilities.
According to Microsoft, attackers are growing more adept at using social-engineering tactics to prod users into opening unsafe Office files. Borrowing phishing techniques, attackers may include warnings of their own in the body of an email, paradoxically labeling their own unsafe files as protected content that requires users to enable editing if they want access to the information contained within.
Phishing attacks are growing in volume and complexity, fueled by increasingly aggressive social-engineering schemes, according to a recent report from Wombat Security Technologies.
Forty-two percent of the organizations polled by the security awareness and training company admitted to suffering a malware infection due to phishing. Twenty-two percent said they felt the sting of compromised accounts while 4 percent lost data. Despite the dangers, a staggering 56 percent of organizations do not perform assessments of the risk to end users.
To combat this, Microsoft has added a new Group Policy setting that can be can be set on a per-application basis and enable administrators to completely block macros that arrive at users’ inboxes via email attachments, provided they use Outlook and Exchange. Administrators also can block macros that are downloaded from the Internet or from cloud file services like Dropbox or Microsoft’s own OneDrive.
“This feature relies on the security zone information that Windows uses to specify trust associated with a specific location,” the Microsoft Malware Protection Center team explained in a blog post. “For example, if the location where the file originates from is considered the Internet zone by Windows, then macros are disabled in the document.”
Not all workplaces are the same, naturally. Some organizations may rely on workflows that depend on sharing macros.
Microsoft advises end users to avoid opening macros from unknown sources. Even if they appear to come from trusted colleagues, the company urges caution in case the sender was hacked. Microsoft recommends enterprise administrators use the new feature and consider disabling macros completely if their workflows allow it.