Microsoft seems to have quietly, and with out fanfare, reversed a February 2022 coverage to dam Visible Primary for Purposes (VBA) macros by default throughout 5 of essentially the most used Workplace functions, citing damaging person suggestions.
The brand new coverage was initially launched on the premise that by making it inconceivable for customers to allow macros by clicking a button by throwing further click-throughs and reminders of their path, it might make it tougher for menace actors to trick them into opening malicious attachments containing malware payloads. The change was made at the very least partially due to the continued prevalence of distant working.
Nonetheless, as first reported by Bleeping Pc, Redmond now seems to have put the brakes on the coverage and begun a rollback – which can but show short-term.
The rollback was first noticed by Microsoft customers puzzled as to why the previous safety warning had reappeared on paperwork containing VBA macros, versus the brand new block discover that they have been changing into used to.
UK-based person Vince Hardwick was first to question the change on Microsoft’s Tech Group boards after operating into difficulties making an attempt to reveal the brand new coverage for a YouTube video he was making.
Responding to Hardwick’s question on the boards, Angela Robertson, Microsoft 365 Workplace Product Group principal GPM for identification and safety, stated: “Primarily based on suggestions acquired, a rollback has began. An replace in regards to the rollback is in progress. I apologise for any inconvenience of the rollback beginning earlier than the replace in regards to the change was made obtainable.”
Different customers, together with Hardwick, voiced frustration that Microsoft had failed to speak the rollback to them.
The character of the suggestions that Robertson referred to is unclear, but when the choice to rollback is certainly primarily based on person suggestions, it’s unlikely to be the suggestions of the safety neighborhood, which had usually welcomed the transfer within the hope that it might enhance organisational safety by chopping off a straightforward approach for cyber criminals to ascertain preliminary entry into their targets, ie by emailing them malicious paperwork or spreadsheets.
Safety consultants have already responded, describing Microsoft’s transfer as a “horrible thought” and a “bizarre resolution”:
It is a horrible thought. I’ve misplaced observe of the variety of campaigns I noticed concentrating on civil society that used workplace macros to put in malware. https://t.co/fVv4QilzwB
– Eva (@evacide)
July 8, 2022
What on the earth? Bizarre resolution right here by Microsoft to roll again its resolution to dam VBA macros by default. The change had already begun to affect menace actor behaviors to make use of different issues. Alas. https://t.co/9LCA0ZCuid
– Selena (@selenalarson)
July 8, 2022
Within the quick interval for the reason that change started to roll out, loads of proof has certainly stacked up that the change was forcing menace actors to evolve their ways, strategies and procedures (TTPs).
On the finish of April, Proofpoint reported that the group behind the Emotet botnet had turned to utilizing tainted OneDrive URLs as a substitute of macro-enabled attachments, seemingly as a result of blocking macros by default makes it tougher for the common person to fall for the trick.
Then in June, Verify Level reported that the Snake Keylogger was taking pictures again up its month-to-month menace charts following a lot of novel e-mail campaigns that noticed it distributed in a tainted PDF file – traditionally, Snake had arrived in Phrase paperwork or Excel spreadsheets.
Pc Weekly contacted Microsoft to hunt additional clarification on the character of the rollback, however had not acquired a response on the time of writing.