Microsoft Adds New Feature in Office 2016 That Can Block Macro Malware

Share this…

How-to guide also included, showing sysadmins how to protect their enterprises from malicious macro malware. Microsoft is finally addressing the elephant in the room in terms of security for Office users and has announced a new feature in the Office 2016 suite that will make it harder for attackers to exploit macro malware.

For years, macro malware has been the easiest avenue in infecting Microsoft users, and despite all the warnings and examples where macro-transmitted malware infections have ravaged entire companies, users kept enabling macros in their Office documents.

Created to allow dynamic content to be loaded in Word, Excel, and Powerpoint documents, macros allow crooks to automatically execute malicious scripts that connect to the Internet and download malware.

The usual way to deliver macro malware is by spam. Victims get an email in their inbox that has an attached Office file. The victim downloads the Office file and tries to open it, usually finding a (social engineered) message at the top of the document instructing him to exit Protected View and Enable Macros to view the content in its entirety.

While security-aware users will quickly recognize this as a malware-laden file, most users will not, and will follow the instructions by enabling macros.

As soon as this happens, the malicious scripts recorded in the document’s macro are executed, and the malware is retrieved from a remote Web server, saved on the computer, and even launched in execution.

In the past few years, we’ve seen macro malware deliver all kinds of malware, from spyware to adware, but most importantly ransomware.

Sysadmins can now block macros that connect to the Internet

Now, Microsoft is announcing a new feature in its Office 2016 suite that will allow corporate network administrators to block the execution of macros that retrieve content from untrusted sources, which in most network configurations is “the Internet.”

“This feature can be controlled via Group Policy and configured per application,” Microsoft explains. “It enables enterprise administrators to block macros from running in Word, Excel and PowerPoint documents that come from the Internet.”

Once a network admin enables this protection for Office 2016 installations, when the user tries to enable a macro that retrieves content off the Internet, he’ll get a message like the following.

Warning shown to users that try to enable macros that retrieve content off the Internet

Warning shown to users that try to enable macros that retrieve content off the Internet

How to block macros that retrieve content of the Internet in Office 2016

If you’re a system administrator and you’re running Office 2016 in your network, here’s how to block macros that retrieve content off the Internet.

Step 1: Download the Office 2016 Administrative Template files (ADMX/ADML) and Office Customization Tool from Microsoft’s website.

Step 2: Open the Group Policy Management Console. Click Start, click Control Panel, click Administrative Tools, and then click Group Policy Management.

Step 3: Locate and right-click the Group Policy Object that you want to configure and click Edit.

Step 4: Select the Group Policy Management Editor, go to User Configuration. (see image below)

Step 5: Select Administrative templates > Microsoft Word 2016 > Word options > Security> Trust Center. (see image below)

Step 6: Open the Block macros from running in Office files from the Internet option, configure it, and then enable it. (see image below)

For situations where home-brew macros need to download content of the Internet for legitimate purposes, Microsoft has issued the following advice: “Users with legitimate scenarios that are impacted by this policy should work with their enterprise administrator to identify alternative workflows that ensure the file’s original location is considered trusted within the organization.”

“Block macros from running in Office files from the Internet” option

"Block macros from running in Office files from the Internet" option