New feature in Office 2016 can block macros and help prevent infection


Macro-based malware is on the rise and we understand it is a frustrating experience for everyone. To help counter this threat, we are releasing a new feature in Office 2016 that blocks macros from loading in certain high-risk scenarios.

 

Macro-based malware infection is still increasing

Macro-based malware continues its rise. We featured macro-based malware in our Threat Intelligence report last year, but infections are still increasing.

Despite periodic lulls, infections for the top 20 most detected macro-based malware were high over the past three months.

 

In the enterprise, recent data from our Office 365 Advanced Threat Protection service indicates 98% of Office-targeted threats use macros.

Note these are detections and not necessarily successful infections. To learn more about Advanced Threat Protection and other security features in Office 365, check out this blog and video.

The enduring appeal for macro-based malware appears to rely on a victim’s likelihood to enable macros. Previous versions of Office include a warning when opening documents that contain macros, but malware authors have become more resilient in their social engineering tactics, luring users to enable macros in good faith and ending up infected.

 

Block the macro, block the threat

In response to the growing trend of macro-based threats, we’ve introduced a new, tactical feature in Office 2016 that can help enterprise administrators prevent the risk from macros in certain high risk scenarios. This feature:

  1. Allows an enterprise to selectively scope macro use to a set of trusted workflows.
  2. Block easy access to enable macros in scenarios considered high risk.
  3. Provide end users with a different and stricter notification so it is easier for them to distinguish a high-risk situation against a normal workflow.

This feature can be controlled via Group Policy and configured per application. It enables enterprise administrators to block macros from running in Word, Excel and PowerPoint documents that come from the Internet. This includes scenarios such as the following:

  1. Documents downloaded from Internet websites or consumer storage providers (like OneDrive, Google Drive, and Dropbox).
  2. Documents attached to emails that have been sent from outside the organization (where the organization uses the Outlook client and Exchange servers for email)
  3. Documents opened from public shares hosted on the Internet (such as files downloaded from file-sharing sites).

Let’s walk through a common attack scenario and see this feature in action.

Claudia is an enterprise administrator at Contoso. After a rash of macro-based malware attacks targeting her organization, she learns of this new feature in Office 2016 and has rolled out a Group Policy update to all Office clients on the network.

Stewart is a cybercriminal looking to attack and penetrate the Contoso network. Stewart uses macro-based malware because he’s had recent successes using it. He launches his attack campaign against Contoso by targeting James, an employee there.

James receives an email from Stewart in his inbox that has an attached Word document. The email has content designed to pique James’s interest and influence him to open the attachment.

Email with a macro-enabled attachment

When James opens the Word document, it opens in Protected View. Protected View is a feature that has been available in Word, Excel, and PowerPoint since Office 2010. It is a sandboxed environment that lets a user read the contents of a document. Macros and all other active content are disabled within Protected View, and so James is protected from such attacks so long as he chooses to stay in Protected View.

Word document instructing a user to enable macros to get out of protected view mode

 

However, Stewart anticipates this step and has a clear and obvious message right at the top of the document designed to lure James into making decisions detrimental to his organization’s security. James follows the instructions in the document, and exits Protected View as he believes that will provide him with access to contents of the document. James is then confronted with a strong notification from Word that macros have been blocked in this document by his enterprise administrator. There is no way for him to enable the macro from within the document.

Warning message appears in a document if macros can't be enabled

 

James’s security awareness is heightened by the strong warning and he starts to suspect that there is something fishy about this document and the message. He quickly closes the document and notifies his IT team about his suspicions.

This feature relies on the security zone information that Windows uses to specify trust associated with a specific location. For example, if the location where the file originates from is considered the Internet zone by Windows, then macros are disabled in the document. Users with legitimate scenarios that are impacted by this policy should work with their enterprise administrator to identify alternative workflows that ensure the file’s original location is considered trusted within the organization.

 

Use Group Policy to enforce the setting, or configure it individually

Administrators can enable this feature for Word, Excel, and PowerPoint by configuring it under the respective application’s Group Policy Administrative Templates for Office 2016. For example, to enable this setting for Word:

  1. Open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.
  2. In the Group Policy Management Editor, go to User configuration.
  3. Click Administrative templates > Microsoft Word 2016 > Word options > Security > Trust Center.
  4. Open the Block macros from running in Office files from the Internet setting to configure and enable it.

Group policy settings location

You can read more about this Group Policy setting at Plan security settings for VBA macros in Office 2016.

 

Final tips

For end-users, we always recommend that you don’t enable macros on documents you receive from a source you do not trust or know, and be careful even with macros in attachments from people you do trust – in case they’ve been hacked.

For enterprise administrators, turn on mitigations in Office that can help shield you from macro based threats, including this new macro-blocking feature. If your enterprise does not have any workflows that involve the use of macros, disable them completely. This is the most comprehensive mitigation that you can implement today.


Comments (53)

  1. Great stuff. Will save a lot of organisations from crypto ransomware and other malware.

  2. Jarrod Morago says:

    Great feature, now how about for older versions of Office.

    1. TaskForceKen says:

      For older versions of Office, you can "Go Nuclear" and disable vbe6.dll
      Impact of workaround. Embedded ActiveX controls (such as macros) will not run in Office documents. For instance, users will be unable to insert objects into Office documents. The impact of implementing this workaround is that Microsoft Office files with VBA content (such as with macros) will no longer load.

      reference: workarounds section of Microsoft Security bulletins MS10-031 and MS08-013
      https://technet.microsoft.com/en-us/library/security/ms10-031.aspx
      https://technet.microsoft.com/en-us/library/security/ms08-013.aspx

      Other alternatives: How to turn off Visual Basic for Applications when you deploy Office
      https://support.microsoft.com/en-us/kb/281954

      Caveats and Loss of functionality: Considerations for disabling VBA in Office
      https://support.microsoft.com/en-us/kb/287567

  3. dave says:

    Evil macros are encrypted so you can't see what they are doing.
    Inhouse macros aren't.
    Can we not just completely block encrypted macros ?

  4. charlie says:

    Good stuff, but You should roll it out to office 2010 and office 2013, there are lot of users using those versions. By the time everyone updates to 2016 version. This infection vector would be outdated. The number of people benefiting would be significantly more if we roll it out on all versions.

  5. Indy says:

    1. The documentation for "Group Policy Administrative Templates for Office 2016." mention use (and requirements) of Windows Vista throughout. Seems just a tad outdated.

    2. The documentation is incredibly complex for just setting *one change* in Group policy. Is there a simpler way to do this?

    1. Sriram says:

      This setting can also be enabled on a client by setting a registry key per application. So to enable this setting for Word,
      1. navigate to HKCU\Software\Microsoft\Office\16.0\Word\Security
      2. Add a new DWORD "BlockContentExecutionFromInternet" and set it to 1

      1. Uwe Kraatz says:

        The Group Policy Editor creates the following entry:

        Windows Registry Editor Version 5.00

        [HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\16.0\word\security]
        "blockcontentexecutionfrominternet"=dword:00000001

      2. Always use
        [HKEY_CURRENT_USER\SOFTWARE\Policies...
        A norm user without admin right cannot change this setting in "Policies" but in HKCU\Software\Microsoft\Office...

  6. David Ashcroft says:

    I am trying to set this GPO up on Win Server 2012 R2. The Office 2016 stuff is not available in Admin templates. Is there any way I can get these items to appear?

  7. Panagiotis says:

    I am not sure that I understand how windows are tracking "download from internet docs", so my question is: if the doc is zipped and then send with an email, will the macros be blocked?

    1. adwbust says:

      great question! im curious too. but I think those inside archives wont have the zone.identifier so I guess that's a bypass ~ same those transferred from a local, remote or removable storage. files extracted from archives and those transferred from other storage should also have zone.identifier!

      1. Robert says:

        It doesn't matter where the doc comes from, it is the execution of the macro script inside of it where this takes place. I would assume it knows by looking for the VB API calls related to fetching content off the internet, and therefore identifies macros with those API calls in their script and blocks them.

        1. Jamie says:

          That's not correct, it's the file's metadata, the "Internet: zone" setting.

      2. Sriram says:

        This depends on the software being used to unzip the files. The native zip/unzip functionality in Windows appears to correctly apply the Zone Identifier when the zip is downloaded from the Internet.

  8. Todd says:

    I hate to say it, but this should get added to Office 2013 as well. That would be a good will gesture that would go a long way in organizations that are often behind, such as health care.

  9. Kurt says:

    And what if the user does actually need to view the document or enable macros? What is an easy way unblock it?

    1. ChristosK says:

      Open the file --> save as to a new file --> re-open the new file-->enable content

  10. Sam says:

    Thanks! Would you be able to set whitelisting for known safe senders?

  11. mel says:

    Does this apply for a Windows Server 2012 r2 environment with clients who use Windows 7 running Office 2013?

  12. Matt says:

    Most, if not all, of this needs to be "back-ported" as a Critical-level security update to organizations still running < Office 2016 (i.e. 2013).

    Specifically: Provide end users with a different and stricter notification so it is easier for them to distinguish a high-risk situation against a normal workflow.

  13. repmeer says:

    Why is option not available for Office 2013?

  14. Andrés Arnaldo says:

    Is there anyway to implement this on previous Office versions? E.g. 2007..2010..
    Thank you!

    1. ThatGirl-007 says:

      Yes- It should almost be a prerequisite. Older versions of Office are still supported and instructions to accomplish this should be available- as the 'older versions' will continue to run smoothly thru Win10 upgrade. Excellent idea!

  15. Geoff Kimmons says:

    Protected View on Windows 7, Office 2016 is a disaster - it frequently prevents files on local enterprise network shares from loading, and from the cloud. Office provides a wholly inaccurate "not enough memory or disk space" error. You actually have disable protected view to enable business process to continue. Previous blogs state this used to happen with Office 2013, but I've never seen it so assume there was a fix, which does not seem to have been pushed over to Office 2016 - brilliant work Microsoft

  16. R S says:

    code signing ftw.
    i sleep better because i just allow signed makros yet. its easier as it sounds and this setting prevents the possibility to save a infected file on a trusted location. you can do this with gpos also.

    1. An where does the Code Signing Certificate come from? Self Signing should not work as a hacker can also "Self sign" his code.

  17. Herbert Reti says:

    I don't know if this is working for my Microsoft Lumia 640xl

  18. Scott Turner says:

    The fact that this is the only alternative to blocking macros in the Office 365 tenant / Exchange Security Settings is laughable. You are beginning to show why the Microsoft Exodus of 2020 will occur.

    Other email services are abundantly more secure. Office 365 and security go together like Crap and Spaghetti.

  19. Bala2Bala says:

    I am opening the Macro enabled files from SharePoint 2013, but I am not getting the "Enable Content" option at all and Macros are not triggering. Please need any help or assistance badly, since all the work has been affected because of this issue.

  20. Alex says:

    This only works if the user attempts to open it in there email. If they remove the attachment and save it to a different place, the macro will still run. There needs to be a better grip on documents the have macros.

  21. Having the ability to strip the macros out with structural sanitization and allowing the rest of the email to go unhindered eliminates the challenges discussed below with versions, saving the attachments outside of email and non-Office attachments (PDFs, OpenOffice, etc.).

  22. This is really awesome to know about this change and preventive step from Microsoft to avoid infections with Macros.
    You can check this blog for more tips and tricks
    http://technolotal.org/

  23. Michel Christaller says:

    Regarding to files downloaded from Internet Explorer, it seems when you click "Open" IE saves the file to INetCache folder and this setting blocks it. When you click "Save" IE saves to downloaded files folder and defines the file's Zone Identifier setting according to the website's Zone. When the website is in Trusted Sites, Excel can open and execute macros in the file (as it should).
    But "Open" from IE for a Trusted Site is blocked by this setting.. no really consistant and explainable to the users.

    1. Michel Christaller says:

      In fact this setting only block files that are in INetCache folder (for Windows 10) - regardless of where the file came really from. This means internal files sent by email and opened through Outlook will be blocked (because Outlook opens attachments from INetCache temporary folder)..

  24. Nice work by Microsoft blocking Macro Malware. Thanks for the detailed info.

    1. Stuart Katz says:

      I am don't see the option for Microsoft Word 2016 under Administrative Templates in my GPO on the server. I check on a user's computer which is the local computer policy and don't see this option. All user's have Office 2016 installed. Where can I set this policy?

  25. This is good information for administrators seeking to block malicious files.
    Is there any equally good advice for software developers who need to distribute macro-enabled documents about how they can minimise the risk of them being blocked? Does code signing help for example? Are there any whitelists we can apply to be included in? etc etc.

    1. Sriram says:

      hello Julian,

      You will need to work with the customer to ensure the channel they acquire this document through is considered trusted, e.g. if they download this from a site, the website is marked as a trusted site on the customer's machine.

      Signing macros should also work so long as the certificate used to sign the macro is considered a trusted publisher by the customer.
      More info here: https://support.office.com/en-us/article/Add-remove-or-view-a-trusted-publisher-1C7C871C-632C-408C-8233-C7DD47289A00?ui=en-US&rs=en-US&ad=US

  26. Jamie says:

    My problem with this is the "Users with legitimate scenarios that are impacted by this policy should work with their enterprise administrator to identify alternative workflows that ensure the file’s original location is considered trusted within the organization."

    There are users who both download and get emailed xlsm files from a financial regulatory body's site/email. How to set up an exception via email or website is the question. It's never the generic block everything that counts as to whether things get implemented or not, it's how flexible are the exceptions.

    Currently, we have 2013, and have disabled macros already, except for excel, which is a pain because we get malware from that too.

  27. jbmartin6 says:

    You keep saying don't enable macros but the button says enable content.

  28. John says:

    I have a better policy on my network -- no downloads, no flash drives 🙂

  29. y0d4 says:

    Could someone tell me which security update is required for windows 7 and office 2013 for this option to work?

    thank yo

  30. Teo says:

    Hi guys,
    Could you confirm from which version onwards this should be applicable?
    The first version after the date of the release of the blog is : Version 1602 (Build 6741.2021) - Current channel.
    Does that mean versions 16.0.6741.20121 and higher should "enable" this?

  31. Thomas Clark says:

    This new feature is wonderful for those who dig up dirt from all over the Internet, but it's a bane to the existence of teachers whose students submit all their papers through a website. Every document I open has to be clicked numerous times just to get it up to get past all the security warning boxes. Even when I open a brand new blank document I get these numerous boxes. Makes one wish for the good old days of leaving the customer to fend for himself. Can't you provide a check box in the Trust Center to turn it off permanently? None of us use macros in our homework assignments or papers.

    1. Sriram says:

      Would you mind sharing the text of the warnings you need to click through? Since you mention this: "None of us use macros in our homework assignments or papers.", I don't think these are macro warnings as discussed in this article.

  32. Jason Baird says:

    Another option is making sure that any emails sent to the company get's the macro's stripped off. We use this. http://www1.maysoft.com/MacroKiller it's pretty sweet. It seems to be the best way since you're stopping them at the gateway.

  33. D Hardisty says:

    Could someone tell me how I can get a scan macro to work in Word 2016 I have tried using the Trust Centre but still it does not work - I should add it worked perfectly in 2013. I should add that the above recommendation is a bit too complicated for this old old timer. Thanks

  34. Thomas Clark says:

    Unfortunately, the macro warnings (the macro can't be found or has been disabled because of your macro security settings) persist even on the request to open a new blank document. Documents which were created by me on my computer persist in bringing up warnings, even though I may have saved them a dozen times after edits. This is severely annoying. It's never been a problem in Word 2007, or Word 2011. Can't I get rid of all the warnings--they consume too much of my time messing with answering them for every document I open. With 50 students' work pouring in every week, these warnings are too much.

  35. jackin says:

    So i tried to follow above instructions to re-enable macros, but did not even see same above options in gpedit.msc under user configuration > administrative templates > Microsoft Word 2016
    Could you please inform why?
    I also checked under computer configuration > administrative templates >, no luck.

    1. Sriram says:

      Can you download and install the latest administrative templates from this link and check if the options now appear in gpedit?

      https://www.microsoft.com/en-us/download/details.aspx?id=49030

  36. Michael says:

    This is not on Windows 10 Enterprise with Office 2016 in a 'workgroup'. No Office branches shown in GPEDIT. Windows 1607 OS Build 14393.1198, up to date.

Skip to main content