Microsoft Turns a Double Flip-Flop Over Malware Macros

Microsoft has a malware problem with macros - but has it finally found the right solution?
9 August 2022

The home of the macro, the extremely useful attack vector.

The prevailing model for understanding ransomware is as a targeted business practice, the act of self-motivated hackers, rather than hostage-takers-for-hire. But a recent study by Venafi (the leading providers of machine identity management) found that not only is malware available to buy – sometimes for ridiculously affordable prices – on the dark web, but 87% of the ransomware for sale on the dark web is deliverable via macros.

You know macros – they’re the handy little mini-programs you can record in Microsoft Office 365 programs like Word and Excel to help you automate repetitive functions. The main discernible feature about macros is that they’re usually fairly simple themselves, and above all, they obey the orders they’re given.

Which is fine if you want to turn a cell unexpectedly green in Excel, or if you want to insert some repeated words into a Word document. But it’s also extremely effective if you want to activate a malware command that takes a user (and through them, the company for which they work) to a ransomware site, or execute a self-replicating DDOS attack, or even do something as relatively simple but expensively vexing as launch a lock screen attack. For those sorts of functions, macros (or ‘dark macros’ as it seems right to call them) are the innocent assassins of productivity, looking entirely like standard macros to anything that searches for the malware culprit.

The Irritating Usefulness of Macros

Having been made aware of this attack vector in its programs, Microsoft took some fairly major action in February, 2022, blocking all VBA macros by default.

Users worldwide found that the macros they had programmed to help them maximize their productivity had stopped working, because Microsoft had taken a sledgehammer to the problem of malicious macros.

Microsoft received what is diplomatically described by the company as “feedback” on its move, and quietly – not to say silently – rolled back its decision, a U-turn that was uncovered by Bleeping Computer on July 7th, 2022. In perhaps the ultimate irony, users were confused that Microsoft had not announced its rollback with as much publicity as it had announced the original macro-ban, and the flip-flop lost Microsoft some trust among its core user community, and some certainty that if there were to be a solution to the issue of dark macros, that Microsoft itself would be the right provider of such a solution.

Angela Robertson, a Principal GPM for Identity and Security on the Microsoft 365 Office team, apologized for the inconvenience caused, especially to SMBs, by the rollback having started before any update about the change was made.

Macros – The Insoluble Problem?

SMBs in particular were affected by the initial macro ban, because a) they’re most frequently run around the Microsoft Office 365 suite, and b) macros are a key efficiency tool in SMBs, used to speed up all manner of small business processes, so they were more than usually vulnerable to a sudden ban on VBA macro use.

As the ban was made extremely public, and the rollback very quiet, Vice President of Security Strategy and Threat Intelligence at Venafi, Kevin Bocek, said Microsoft’s indecision should cause every level of user concern.

Plus, in bowing to feedback from users, Microsoft had essentially gone back to business as usual, ignoring the fact that macros remained a highly active threat when attached to emails, which is how they normally travel from one machine to another – and one company to another.

A Hostile Border For Web Macros

On August 3rd, Microsoft announced that it had flip-flopped again, but with a different take on the problem. Instead of deploying a blanket ban on VBA macros which would cripple business productivity across the SMB sector, it would, it said, change the behavior of Office programs so that they would instantly block all macros coming in from the internet.

While that goes some way to striking a middle ground between acknowledging the threat of macros as a vector for cyber-attacks and understanding quite how useful they are to the day-to-day running of SMBs, it entails further action on the part of businesses to allow the use of documents with domestically-created macros that are stored on shared networks – an increasingly widely-used approach in the post-pandemic era of diversified, frequently remote workers accessing company documents on a cloud or centrally-located server.

“To prepare for this change, we recommend that you work with the business units in your organization that use macros in Office files that are opened from locations such as intranet network shares or intranet websites. You’ll want to identify those macros and determine what steps to take to keep using those macros. You’ll also want to work with independent software vendors (ISVs) that provide macros in Office files from those locations. For example, to see if they can digitally sign their code and you can treat them as a trusted publisher,” was Microsoft’s advice to businesses on its latest approach to minimizing the effectiveness of the malware-laden macros.

While the code-signing advice seems like a sensible precaution for SMBs, and Microsoft also recommends enabling the “Block macros from running in Microsoft Office files from the Internet” function as part of the security baseline for Enterprise Office users, it feels like the latest in a run of potential solutions that Microsoft has deployed against a core system vulnerability between its first action in February and its most recent attempt in August. Users, and SMB users in particular, will wait to see whether the new solution actually delivers a reduction in the ability of dark web macros to wreak havoc on company systems in the second half of 2022.