Microsoft beefs up defences against Office macros menace

Microsoft has introduced a macros-blocking feature within Office 2016 in a move designed to collar a long-running malware threat.

Macro-based malware is once again on the rise as a vector in the spread of various strains of malware including the Locky ransomware, BlackEnergy and the Dridex banking trojan. Microsoft’s stats shows the prevalence of the malware type waxing and waning over the last three months. More pointedly, data from Redmond’s Office 365 Advanced Threat Protection service indicates 98 per cent of Office-targeted threats use macros.

Macros are popular with virus writers because users who enable them for other reasons are left exposed in cases where they are tricked into opening the wrong (booby-tapped) document, as Microsoft explains in a post on its official threat response blog.

The enduring appeal for macro-based malware appears to rely on a victim’s likelihood to enable macros. Previous versions of Office include a warning when opening documents that contain macros, but malware authors have become more resilient in their social engineering tactics, luring users to enable macros in good faith and ending up infected.

In response, Microsoft is releasing a new feature in Office 2016 to help enterprise administrators block macros from loading in certain high-risk scenarios. This is an enterprise-focused policy-based feature that means, for example that enterprise are able to selectively restrict macro use to a set of trusted workflows.

The feature can be controlled via Group Policy and configured per application. Enterprise administrators would, for example, gain the ability to block macros from running in Word, Excel and PowerPoint documents that come from the internet. Or more specifically macros could be disabled in documents attached to emails that have been sent from outside the organisation.

The latter restriction blocks at least one well-known vector of malware infestation.

Alternatively the same technology can be used to provide “end users with a different and stricter notification so it is easier for them to distinguish a high-risk situation against a normal workflow”. ®