Executable code embedded within Office documents continues to be a popular way to deliver malware.
Office, by default, opens files downloaded from the internet in a safe way, that prompts the user to first enable editing, and then again to enable to macro content. I’m sure everyone has seen this before:
You could be just one click away from ruining your day, and potentially at whole lot more people’s too…
Social engineering is often used to try to get you to enable the blocked content, usually by pretending that there’s hidden or encrypted information in the file that requires you to click those “enable” buttons. Microsoft Threat Intelligence Center’s John Lambert has created a compilation of screenshots of lots of these – quite an eye opener, and useful for staff training.
Sometimes, IT admins are forced to disable the protection features due to pressure from users who are annoyed with stuff not working “how it used to” or having to click through too many security checks. Sometimes, they don’t think to force the Office products to display the warnings, and leave the Trust Center settings available for users to change themselves (i.e. turn off).
As with many things macros can be of huge benefit, but if their use isn’t essential, just disabled them. If nobody needs them, nobody will notice if the functionality isn’t there. This advice is just common sense (right?) but if you don’t believe me, believe Microsoft – they say the same thing. As do the UK’s National Cyber Security Centre.
You have several options, and the two I’m going to show you require the latest Office Group Policy Templates, so download those if you’ve not already got them and put them into your central store for group policy (you are using one of those, right?).
Block macros from running in Office files from the Internet
In Office 2016 Microsoft included this new feature that you can enable via Group Policy. It’s available for Word, Excel and PowerPoint, and allows you to disable macros where Office detects that the file has come from the internet, be that downloaded via a web browser or from external email. They liked it so much, they even backported it to Office 2013 too.
In the Group Policy Management Editor, go to User configuration > Administrative templates > Microsoft Word 2016 > Word options > Security > Trust Center. Open the Block macros from running in Office files from the Internet setting to configure and enable it.
The effect for the end user is the red/pink bar in the following image:
Disable VBA for Office applications
This is the ultimate, just disable the Visual Basic for Applications functionality for the whole of Office. No more macros, or any other VBA stuff. This is done via the following Group Policy setting:
Computer or User Configuration > Administrative Templates > Microsoft Office 2016 > Security Settings.
Enable the setting Disable VBA for Office applications.
Office then displays the following when anything tries to access VBA functionality:
Hopefully you’ve found this a useful, practical guide to increasing your security.