- Microsoft is rolling back the February decision to block internet macros by default in Office so it can make the changes more user friendly, the company said in an update to an earlier blog post. Microsoft cited user feedback for the roll back.
- The change is temporary and Microsoft is “fully committed” to making the default change for all users, Kellie Eickmeyer, principal product manager at Microsoft, said in the blog.
- A number of security researchers raised questions about the decision and the limited amount of transparency Microsoft offered for the change.
The original reason for disabling macros by default was based on “the clear threat landscape trend of many years” by bad actors to leverage macros in order to execute additional code for malicious attacks, Sherrod DeGrippo, VP, threat research and detection at Proofpoint, said via email
The prior decision to disable macros was hailed by the security community, DeGrippo said, noting a 66% drop in the use of macros after the initial change.
“The direction Microsoft is going is puzzling to threat researchers and defenders,” she said. “We’re watching carefully to see how the threat landscape changes as this confusion affects the industry and how organizations respond to the changing guidance.”
The move to block macros came from the considerable threat activity by malicious actors.
Emotet began testing new techniques in the months following the February rollback, when Microsoft announced it would begin blocking Visual Basic for Application macros by default.
Even with changes in the default setting macros can still be disabled by using group policy settings.
Despite the setback for defenders, the big picture remains that Microsoft plans to return to blocking macros in the near term, according to Red Canary researchers.
“What matters most of all is that Microsoft still plans to block these macros by default at some point in the future,” Brian Donohue, principal information security specialist at Red Canary, said via email. “Blocking VBA macros by default is an objectively good security outcome for everyone. We just have to wait a little bit longer to get there.”