francescopaoli - Fotolia

Microsoft appears to reverse VBA macro-blocking

Microsoft quietly reverses VBA macro-blocking across its Office portfolio in a move that has left security experts puzzled

Microsoft appears to have quietly, and without fanfare, reversed a February 2022 policy to block Visual Basic for Applications (VBA) macros by default across five of the most used Office applications, citing negative user feedback.

The new policy was initially introduced on the basis that by making it impossible for users to enable macros by clicking a button by throwing extra click-throughs and reminders in their path, it would make it harder for threat actors to trick them into opening malicious attachments containing malware payloads. The change was made at least in part because of the ongoing prevalence of remote working.

However, as first reported by Bleeping Computer, Redmond now appears to have put the brakes on the policy and begun a rollback – which may yet prove temporary.

The rollback was first spotted by Microsoft users puzzled as to why the old security warning had reappeared on documents containing VBA macros, as opposed to the new block notice that they were becoming used to.

UK-based user Vince Hardwick was first to query the change on Microsoft’s Tech Community forums after running into difficulties attempting to demonstrate the new policy for a YouTube video he was making.

Responding to Hardwick’s query on the forums, Angela Robertson, Microsoft 365 Office Product Group principal GPM for identity and security, said: “Based on feedback received, a rollback has started. An update about the rollback is in progress. I apologise for any inconvenience of the rollback starting before the update about the change was made available.”

Other users, including Hardwick, voiced frustration that Microsoft had failed to communicate the rollback to them.

The nature of the feedback that Robertson referred to is unclear, but if the decision to rollback is indeed based on user feedback, it is unlikely to be the feedback of the security community, which had generally welcomed the move in the hope that it would improve organisational security by cutting off an easy way for cyber criminals to establish initial access into their targets, ie by emailing them malicious documents or spreadsheets.

Security experts have already responded, describing Microsoft’s move as a “terrible idea” and a “weird decision”:

In the short period since the change began to roll out, plenty of evidence has indeed stacked up that the change was forcing threat actors to evolve their tactics, techniques and procedures (TTPs).

At the end of April, Proofpoint reported that the group behind the Emotet botnet had turned to using tainted OneDrive URLs instead of macro-enabled attachments, likely because blocking macros by default makes it harder for the average user to fall for the trick.

Then in June, Check Point reported that the Snake Keylogger was shooting back up its monthly threat charts following a number of novel email campaigns that saw it distributed in a tainted PDF file – historically, Snake had arrived in Word documents or Excel spreadsheets.

Computer Weekly contacted Microsoft to seek further clarification on the nature of the rollback, but had not received a response at the time of writing.

Read more on Web application security