How-to guide also included, showing sysadmins how to protect their enterprises from some malicious macro malware

Mar 22, 2016 23:25 GMT  ·  By

Microsoft is finally addressing the elephant in the room in terms of security for Office users and has announced a new feature in the Office 2016 suite that will make it harder for attackers to exploit macro malware.

For years, macro malware has been the easiest avenue in infecting Microsoft users, and despite all the warnings and examples where macro-transmitted malware infections have ravaged entire companies, users kept enabling macros in their Office documents.

Created to allow dynamic content to be loaded in Word, Excel, and Powerpoint documents, macros allow crooks to automatically execute malicious scripts that connect to the Internet and download malware.

The usual way to deliver macro malware is by spam. Victims get an email in their inbox that has an attached Office file. The victim downloads the Office file and tries to open it, usually finding a (social engineered) message at the top of the document instructing him to exit Protected View and Enable Macros to view the content in its entirety.

While security-aware users will quickly recognize this as a malware-laden file, most users will not, and will follow the instructions by enabling macros.

As soon as this happens, the malicious scripts recorded in the document's macro are executed, and the malware is retrieved from a remote Web server, saved on the computer, and even launched in execution.

In the past few years, we've seen macro malware deliver all kinds of malware, from spyware to adware, but most importantly ransomware.

Sysadmins can block macros from running in Office files retrieved from the Internet

Now, Microsoft is announcing a new feature in its Office 2016 suite that will allow corporate network administrators to block the execution of macros in Office files retrieved from untrusted sources, which in most network configurations is "the Internet."

"This feature can be controlled via Group Policy and configured per application," Microsoft explains. "It enables enterprise administrators to block macros from running in Word, Excel and PowerPoint documents that come from the Internet."

Once a network admin enables this protection for Office 2016 installations, when the user tries to enable a macro in a file downloaded off the Internet, he'll get a message like the following.

Warning shown to users that try to enable macros that retrieve content off the Internet
Warning shown to users that try to enable macros that retrieve content off the Internet

How to block macros in files retrieved from the Internet in Office 2016

If you're a system administrator and you're running Office 2016 in your network, here's how to automatically block macros in files downloaded off the Internet.

Step 1: Download the Office 2016 Administrative Template files (ADMX/ADML) and Office Customization Tool from Microsoft's website.

Step 2: Open the Group Policy Management Console. Click Start, click Control Panel, click Administrative Tools, and then click Group Policy Management.

Step 3: Locate and right-click the Group Policy Object that you want to configure and click Edit.

Step 4: Select the Group Policy Management Editor, go to User Configuration. (see image below)

Step 5: Select Administrative templates > Microsoft Word 2016 > Word options > Security > Trust Center. (see image below)

Step 6: Open the Block macros from running in Office files from the Internet option, configure it, and then enable it. (see image below)

Microsoft has issued the following advice: "Users with legitimate scenarios that are impacted by this policy should work with their enterprise administrator to identify alternative workflows that ensure the file’s original location is considered trusted within the organization."

UPDATE [October 27, 2016]: This feature is now available for Office 2013 as well.

"Block macros from running in Office files from the Internet" option
"Block macros from running in Office files from the Internet" option

Photo Gallery (3 Images)

A user asked to exit Protected View
Warning shown to users that try to enable macros that retrieve content off the Internet"Block macros from running in Office files from the Internet" option
Open gallery