Tricking someone into enabling macros on a downloaded Microsoft Excel or Word file is an old hacker chestnut. That one click from a target creates a foothold for attackers to take over their devices. This week, though, Microsoft announced a seemingly minor tweak with massive implications: Beginning in April, macros will be disabled by default in files downloaded from the internet.
Macros are small pieces of software used to automate tasks like data collection without the need to develop additional tools or applications. They can be written directly in Microsoft's Visual Basic for Applications programming language, or set up through translation tools that will turn a series of steps into a VBA macro, no coding skills required. Businesses rely on them heavily, especially those with legacy infrastructure, and they play a crucial role in everything from financial services to government organizations. But as an individual Microsoft 365 user, it's not unusual if your only interaction with macros has been clicking that pesky “allow” button—or knowing avoidance.
For attackers, being able to write little programs within massive, trusted applications like Excel or Word creates the opportunity to develop what are essentially macro viruses. Bad actors can also craft these programs to automatically download and run additional malware on victim devices. As a result, whether you use the feature in your daily life or not, everyone has faced risk from it for decades, making Microsoft's move this week all the more significant.
“A few years from now, we’ll look back on this announcement as the single biggest change Microsoft made for mitigating threat actor initial access,” says incident responder and former NSA hacker Jake Williams. “Your apex-grade threat actors or the NSO Groups of the world aren't using this stuff anymore anyway, but this will impact scammers, ransomware groups, and other criminals for sure.”
At least a quarter of ransomware attacks against businesses or other organizations start with phishing attempts, which often dangle a malicious document laced with tainted macros, according to Brett Callow, a threat analyst at the antivirus company Emsisoft.
“I’m very happy about Microsoft's announcement,” Callow says. “Cybercriminals, on the other hand, will be far from happy. Really, the change was long overdue.”
“We are always working to improve security,” said a Microsoft spokesperson in a statement. “Our products currently provide a warning to all customers that requires them to click before running macros from the internet. This new feature goes even further with an extra step to protect customers in everyday scenarios.” The company declined to say specifically why it took the step now and had not done it sooner.
The answer likely involves the tension between the needs of Microsoft's big, macros-dependent customers and the desire to tamp down macros-related attacks once and for all. In Windows 10 and 11, a feature called Microsoft Defender Application Guard has made it much more difficult for attackers to get meaningful access from what would have previously been successful macros-related attacks. But Application Guard is mostly intended for enterprise devices, and many consumer Windows computers still don't support it. And in general, the vast universe of old and outdated Windows devices keeps trucking without advanced defenses.
By disabling macros specifically in files obtained from the internet, Microsoft appears to be attempting a diplomatic solution. Windows marks files you download with a metadata attribute known as “Mark of the Web” or “zone.identifier.” These help the system do things like warn you when you're about to run software from the internet that may not be trustworthy. Files that have never moved across the internet, like the involved payroll spreadsheets a company's accounting department keeps on the internal HR server, will still have macros enabled by default. And you'll still be able to enable them on files you download if you're really sure you can trust them.
The new macros guardrails will only apply to current versions of Office on Windows for Access, Excel, PowerPoint, Visio, and Word. Microsoft says that “at a future date to be determined” it will also release updates to bring the protection to those same programs in Office 2021, Office 2019, Office 2016, Office 2013, and Office Long Term Servicing Channel.
Attackers have already had to adapt to tricking users into affirmatively running macros, but the new moratorium means targets would have to carry out a much more involved process to be infected—making it much less likely that attackers will be able to successfully guide them through it. Incidentally, the change will also make life harder for “red teamers,” security professionals tasked with trying to hack their own organization's systems and products to find vulnerabilities. Malicious macros attacks have been a longtime staple for both real scammers and auditors like red teams looking to access target devices. The higher level of difficulty is exactly the point.
“As a red teamer, I think this is a great move,” says independent researcher Cedric Owens. “Office macro abuse has had a long tail, and since there is rarely a valid use for Office files using macros, especially in files obtained from the internet, I'm glad to see Microsoft make this change.”
Owens notes that he would like to see the protection come to Office for Apple's macOS as well, since macros hacking also shows up there. But he emphasizes that bringing the defenses to Windows, where the majority of such attacks occur, is a crucial first step.
It will take time for Microsoft to release the patches for all versions of Office on Windows, and even longer for them to proliferate. Legacy systems may never receive the updates, or not for many years. In the meantime, macros attacks will continue. And hackers will almost certainly work on ways to get around the new defense, perhaps by tricking users into manually removing the “Mark of the Web” flag from files. But researchers and security practitioners emphasize that the move is nothing short of a watershed moment.
“Of course it's not a silver bullet, but this is an important tipping point, and it’s worth losing some default functionality for the security benefit,” says Kenn White, codirector of the Open Crypto Audit Project. “I think it's honestly a historic security milestone.”
- 📩 The latest on tech, science, and more: Get our newsletters!
- They were “calling to help.” Then they stole thousands
- Extreme heat in the oceans is out of control
- Thousands of “ghost flights” are flying empty
- How to ethically get rid of your unwanted stuff
- North Korea hacked him. So he took down its internet
- 👁️ Explore AI like never before with our new database
- 🏃🏽♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers, running gear (including shoes and socks), and best headphones
