There is a new feature in the Office 2016 suite that will make it harder for attackers to take advantage of macro malware.
For years, macro malware has been an easy target, and despite all the warnings where macro-transmitted malware infections have ravaged entire companies, users kept enabling macros in their Office documents.
Created to allow dynamic content to load in Word, Excel, and Powerpoint documents, macros allow attackers to automatically execute malicious scripts that connect to the Internet and download malware.
The usual way to deliver macro malware is by spam. Victims get an email in their inbox that has an attached Office file. The victim downloads the Office file and tries to open it, usually finding a (social engineered) message at the top of the document instructing him to exit Protected View and Enable Macros to view the content in its entirety.
While security-aware users will quickly recognize this as a malware-laden file, most users will not, and will follow the instructions by enabling macros.
As soon as this happens, the malicious scripts recorded in the document’s macro end up executed, and the malware ends up retrieved from a remote Web server, saved on the computer, and even launched in execution.
In the past few years, macro malware delivered all kinds of malware, from spyware to adware, along with ransomware.
Along those lines, Microsoft created a new feature in its Office 2016 suite that will allow corporate network administrators to block the execution of macros that retrieve content from untrusted sources, which in most network configurations is “the Internet.”
“This feature can be controlled via Group Policy and configured per application,” Microsoft said. “It enables enterprise administrators to block macros from running in Word, Excel and PowerPoint documents that come from the Internet.”