Macros are disabled from now on. Good news for your Cyber ​​Security.

June 22, 2022

Frank Cameling

Senior Security Officer

As of this month, all macros opened from the Internet in Office are off by default. A small change with good news for your Cyber ​​Security.

Macros are useful tools in files that perform certain tasks and commands automatically. You can find them in Microsoft Office or in Windows 365, for example. If you often perform the same action in Word, Excel or another program, you can record the individual steps in a macro.

Work faster with macros, but not without risks

By saving these steps in a macro, you avoid making mistakes with this repetition of moves. In addition, you are of course ready a lot faster, because the macro does the work for you in one go.

Macros are therefore effective, and that also directly explains their popularity. And thanks to their popularity, they are now also in the toolbox of hackers. You can't always see from the outside what a macro does.

In addition, attackers can also use macros to access files. After which, for example, these files are locked and you only get these files back against payment, for example.

You are then a victim of ransomware, while you did nothing but open a file. What actually happened is you activated a two-stage rocket. When opening an infected attachment, the file was opened, but processes were also started in the background, which makes life miserable for your organization.

The 'success' of this method has prompted Microsoft not to allow the macros to run freely. What has changed? Until recently, you got a yellow warning at the top of the screen when opening files with macros. You were made aware that opening them can be risky. But otherwise it was all up to you.

That innocence is now gone. You will now see a Security Risk banner that a threat has been found for your Cyber ​​Security.

Time for Macro Policy

The macro thus remains inactive. Standard. Your system administrator or IT Engineer can also apply policy to this. Microsoft gives you that option, provided you know what you're doing, of course.

There are three options for this:

  • The system administrator allows macros from the Internet to be accessed anyway, because they are digitally signed and this digital certificate is known.
  • It is allowed to open because the macro comes from the Internet, but from a trusted location. For example, the site of a supplier that you visited to download a price list.
  • The variant: it is also possible to apply exceptions between apps, such as granting permission in Excel, but denying in Word, or vice versa. You can vary in Word, Excel, Powerpoint, Visio and Access.

Advice: disable macros

Microsoft itself advises to disable all macros from the Internet, unless they are digitally signed by a trusted party. System administrators can therefore deviate from this.

This also applies to informing users. You cannot show this information either, because you expect that a user does not have sufficient knowledge to make a safe estimate.

A difficult estimate? This indicates that you do not have a realistic picture of your colleagues' Cyber ​​Security awareness.

In addition to carefully applying an IT Policy for macros, it is of course important that this is disseminated in the workplace.

As an IT Engineer you can, in theory, aim for the highest. But if your colleagues are not included enough in the process, things still go wrong in practice. In this case, because your colleague, for example, indiscriminately allows all macros, because the IT department leaves the choice to the user. And it still goes wrong.   

What is your Cyber ​​Security Policy?

No clear picture of where your organization stands when it comes to complying with your Cyber ​​Security policy?

Avoid hindsight after an attack on your company network. We are happy to give you advice on what you should pay attention to. With an apparently small setting for macros, but also all other decisions that can put your Cyber ​​Security at risk.

Used sources: Macros from the internet are blocked by default in Office – Deploy Office | Microsoft Docs and internal.