Skip to content

Defending against office macros attack vectors, one of the most commonly exploited attack vectors

This month, Microsoft announced that they would be implementing a change in the way Office macros are handled when Office accesses files downloaded from the Internet. Macros are designed to increase productivity, by allowing repeatable tasks to be automated when working with documents such as Excel, Word and PowerPoint.

Although intended to increase productivity, they have powerful access to underlying operating system components, rather than just the Office application or data contained within the specific file.

As a result, macro abuse is a common technique adopted by threat actors in phishing attacks and it is observed as the initial attack vector for compromising end user devices in a considerable proportion of cyber incidents. It was identified as the initial attack vector that allowed ransomware operators to obtain a foothold on Irish hospital systems in the Health Service Executive last year.

Macro abuse is a favoured entry vector given that macros are enabled by default on systems which use Microsoft Office.  Typically, where macros are required, generally only a small percentage of employees within the entire workforce use them. Some organisations may depend heavily on Excel, but may not use macro functionality at all, yet they are still enabled, despite it being possible to disable them.

Microsoft plans to help prevent and reduce the number of cyber incidents which involve macro exploitation by changing the default behaviour of how Microsoft Office applications function when opening macro-enabled files, which is key for preventing such attacks at scale – as many organisations overlook hardening default settings.

Files that are downloaded from the Internet, such as via a web browser, have a mark of the web (MOTW) attribute added to them which denotes which zone it has been downloaded from. Zone 3 indicates the Internet, for example. In attempt to reduce the risk of compromise, Office applications will check whether the file has been downloaded from the Internet when opening the file, making it more difficult to execute the macro, forcing users to go out of their way, in order to do so.

The change will not take effect in all implementations of Office until a later date, but it will be available within the ‘Current Channel Preview’ from April for M365 customers, which means that it will a little longer yet until it can be benefitted from, and its impact consequently evaluated for its effectiveness.

However, it should be noted while this change will likely reduce the number of ransomware incidents, it will not prevent them in their entirety. Threat actors will likely research methods of circumventing browsers from applying MOTW attributes (such as encapsulating them) or adopting more convoluted social engineering approaches, which guide users through the process of allowing the macro to be executed – similar to the instructions seen on malicious documents encouraging users to subvert security measures designed to protect them.

We recommend that organisations review their current approach to dealing with Office macros, primarily from a security perspective, but also from a productivity point of view too. The pending change may cause slight disruption to business processes, especially in working from home scenarios. Files that are shared via services such as OneDrive and SharePoint, will still have the MOTW attribute, despite them originating from sites that they have membership to access, as apposed to a link or email included from the Internet.

Security awareness training to employees should include advice that users should not open documents from untrusted sources, but organisations should also be aware that there are options available to them to better protect themselves in the event a lapse occurs.

The following table presented can be used to evaluate whether stronger measures can be implemented to reduce the risk of compromise associated with macro-based threats. Dependent on the deployment model of the infrastructure and how it is managed, this will be achieved through deployment of Group Policy Objects or via the M365 Apps Admin Centre:

  • For deployment to Domain Controllers, the following ADMX/ADML templates can be deployed to %SystemDrive%\Windows\SYSVOL\domain\Policies\PolicyDefinition
  • For Azure managed systems, policies can be administered via the Microsoft 365 Apps Admin Centre ( via Customization > Policy Management

For GPO templates, these will need to be enabled for each individual Office application (such as includes Access, Excel, PowerPoint, Word and Visio). If macros are required by employees, consider narrowing the scope via OUs and Groups via GPO/M365 Apps Admin Centre respectively.

ApproachSuitabilityTemplate/PolicyRecommended Setting
AggressiveSmall organisations, that do not implement or require any programming capabilities in Office appsDisable VBA for Office applicationsEnabled
Very StrictFor organisations that have the resources and skill to create and manage digital certificates.  Likely infeasible if macros are subject to even occasional refactoring*Disable all macros except digitally signed macrosEnabled
StrictFiles which use macros can be stored on a network share with appropriate access and write permissions. Unsuitable for organisations that do not have centralised sharing facilities or capabilities. A local folder could also be designated as a trusted location, in which users could move the files, but this would likely result in the same problem recurring in the long termAllow mix of policy and user locations &
Trusted Location #<1-20>
ProactiveFor organisations that are looking to make the change without waiting and do not wish to place the burden solely on employees to defend against this type of attack in the interimBlock macros from running in Office files from the InternetEnabled
Hardening Approaches for Defending Against Macro Abuse

* No policy available on Microsoft 365 App Admin Centre at the time of evaluation

Additional hardening rules for Microsoft Office which can be extended to much more features than discussed within the scope of this post, can be accessed at the following resource:

If you’ve been effected by anything in this or suspect any cyber related issue call our Incident Response helpline on 01786 437 472.