The phrase Office macros is a harmless-sounding, low-tech name that refers, in real life, to program code you can squirrel away inside Office files so that the code travels along with the text of a document, or the formulas of a spreadsheet, or the slides in a presentation…
…and even though the code is hidden from sight in the file, it can nevertheless sneakily spring into life as soon as you use the file in any way.
Those hidden macros, indeed, can be configured (by the sender, not by the recipient, you understand!) to trigger automatically when the file is opened; to override standard items in Office’s own menu bar; to run secondary programs; to create network connections; and much more.
Almost anything, in fact, that you could do with a regular .EXE file, which is the sort of file that few of us would willingly accept via email at all, even from someone we knew, and that most of us would be deeply cautious about downloading from a website we didn’t already know and trust.
Fighting back against cybercriminals
Thanks to macros and the hidden programming power they provide, Office documents have been widely used by cybercriminals for implanting malware since the 1990s.
Curiously, though, it took Microsoft 20 years (actually, closer to 25, but we’ll be charitable and round it down to two decades) to block Office macros by default in files that arrived over the internet.
As regular Naked Security readers will know, we were as keen as mustard about this simple change of heart, proclaiming the news, back in February 2022, with the words, “At last!”
To be fair, Microsoft already had an operating system setting that you could use to turn on this safety feature for yourself, but by default it was off.
Enabling it was easy in theory, but not straightforward in practice, especially for small businesses and home users.
Either you needed a network with a sysadmin, who could turn it on for you using Group Policy, or you had to know exactly where to go and what to tweak by yourself on your own computer, using the policy editor or hacking the registry yourself.
So, turning this setting on by default felt like an uncontroversial cybersecurity step forward for the vast majority of users, especially given that the few who wanted to live dangerously could use the aforementioned policy edits or registry hacks to turn the security feature back off again.
Apparently, however, these “few” turned out [a] to be more numerous than you might have guessed and [b] to have been more inconvenienced by the change than you might have expected:
Notably, many people using cloud servers (including, of course, Microsoft’s own online data storage services such as SharePoint and OneDrive) had got used to using external servers, with external servernames, as repositories that their friends or colleagues were expected to treat as if they were internal, company-owned resources.
Remember that old joke that “the cloud” is really just shorthand for “someone else’s computer”? Turns out that there’s many a true word spoken in jest.
Organisations that relied on sharing documents via cloud services, and who hadn’t taken the appropriate precautions to denote which external servers should be treated as official company sources…
…found their macros blocked by default, and voiced their displeasure loudly enough that Microsoft officially relented around the middle of 2022.
Within 20 weeks, a change that cybersecurity experts had spent 20 years hoping for had been turned off once more:
What to do?
The hows, whys and wherefores of Office macro security are now officially explained in two Microsoft documents:
- For everyone, users and sysadmins alike: Support – A potentially dangerous macro has been blocked
- For sysadmins and tech-savvy users:Â Macros from the internet will be blocked by default in Office
Beginning Security with Microsoft Technologies: Protecting Office 365, Devices, and Data
DISC InfoSec
#InfoSecTools and #InfoSectraining
Ask DISC an InfoSec & compliance related question
