Microsoft is finally planning to block Visual Basic for Applications (VBA) macros by default in a variety of Office apps. The change will apply to Office files that are downloaded from the internet and include macros, so Office users will no longer be able to enable certain content with a simple click of a button.
“The default is more secure and is expected to keep more users safe including home users and information workers in managed organizations,” explains Kellie Eickmeyer, a principal PM at Microsoft.
Hackers have been targeting Office documents with malicious macros for years, and while Office has long prompted users to click to enable macros running, this simple button could lead to “severe including malware, compromised identity, data loss, and remote access.” Instead of a button, a security risk banner will appear with a link to a Microsoft support article, but no easy way to enable macros.
Microsoft is planning to preview the change with its Current Channel (Preview) users in early April, before rolling out to its regular Microsoft 365 customers. The change to block VBA macros from the web will affect Access, Excel, PowerPoint, Visio, and Word on Windows. Microsoft also plans to update Office LTSC, Office 2021, Office 2019, Office 2016, and even Office 2013 to block internet VBA macros.
This is a big change that could impact a lot of genuine use cases for VBA macros, and it means that Office users will only be able to enable the macros by specifically ticking an unblock option on the properties of a file. That’s a lot more steps than usual, and ones that Microsoft is hoping will help prevent security issues in the future.
“Macros account for about 25 percent of all ransomware entry,” explains security researcher and former Microsoft employee Kevin Beaumont. “Keep derisking macros and macro functions. It’s really important. Thank you all the people behind the scenes doing this.” Marcus Hutchins, a security researcher best known for halting the global WannaCry malware attack, also celebrated Microsoft’s changes but noted the company has “decided to do the bare minimum” after years of malware infections.