If you're a Microsoft Office power user, you know about VBA macros. Macros power much of business automation in Office, a precursor to more modern solutions like Power Automate, helping to automate repetitive tasks. But since they have been so prevalent, and so easy to write, they've also become a popular attack vector for bad actors to deliver malicious payloads, sending "helpful" macros to business users, who then unknowingly not only make their days a bit easier, but also introduce malware, identity compromise, data loss, and remote access.
In order to help change that, today Microsoft is announcing that "VBA macros obtained from the internet will now be blocked by default:"
This change only affects Office on devices running Windows and only affects the following applications: Access, Excel, PowerPoint, Visio, and Word. The change will begin rolling out in Version 2203, starting with Current Channel (Preview) in early April 2022. Later, the change will be available in the other update channels, such as Current Channel, Monthly Enterprise Channel, and Semi-Annual Enterprise Channel.
At a future date to be determined, we also plan to make this change to Office LTSC, Office 2021, Office 2019, Office 2016, and Office 2013.
Instead of enabling these potentially harmful macros by default, Office programs will instead display a Security Risk warning, with a link to Learn More.
Microsoft is enabling organizations to manage policies to block macros from the internet from running in Office, and suggests that users only open files from a Trusted Location, and/ore files that are digitally signed. Office admins can learn more from this Microsoft Docs page.
While VBA macros continue to be a useful and powerful tool, running untrusted macros obtained from the internet has never been a good idea, and it's good to see Microsoft taking action to prevent this common security compromise.
Do you run macros in Office? What steps do you take to make sure they're safe? Let us know in the comments below