Microsoft previously announced a new security feature that would see VBA macros automatically blocked by default, but there has been a rollback in response to negative feedback from users.

Phishing emails are commonly used for malware delivery which contain links to websites where the malware is hosted or by using malicious email attachments. Word, Excel, Access, PowerPoint, and Visio files are commonly attached to emails that include VBA macros. While there are legitimate uses for VBA macros, they are often used for malware delivery. When the documents are opened, the macros would run and deliver a malware loader or sometimes the malware payload directly.

Office macros have been used to deliver some of the most dangerous malware variants, including Emotet, TrickBot, Qakbot, Dridex. To improve security, in February 2022, Microsoft announced that it would be blocking VBA macros by default. If macros are blocked automatically, it makes it much harder for this method of malware delivery to succeed.

With autoblocking of macros, users are presented with a security alert if a file is opened that includes a VBA macro. When opening a file with a VBA macro, the following message is displayed in red:

“SECURITY RISK: Microsoft has blocked macros from running because the source of this file is untrusted.”

The user would not be able to click the warning to override the blocking, instead, they would be directed to a resource that provides further information on the risk of enabling macros. They would have the option of ignoring the warning but would be strongly advised not to. Previously, a security warning was displayed in a yellow warning box that says, “Security Warning: Macros have been disabled.” The user would be presented with a prompt to Enable Content, and thus ignore the warning.

Microsoft had rolled out this new security feature, but recently Windows users started to notice that the new security warning was no longer being displayed, instead, Microsoft appeared to have rolled back to its previous system without announcing it was doing so.

Microsoft did confirm that it is rolling back this security feature and that an update announcing that has been planned; however, it had not been announced before the rollback started. The process has been heavily criticized, not for the rollback itself (although there has been criticism of that), but for starting the rollback without first making an announcement.

Microsoft said the rollback was due to negative feedback it had received, but it is not known at this stage which users had complained. It is suspected that the change posed a problem for individuals who commonly use VBA macros, and the automatic blocking made the process of running macros cumbersome. Most SMB users, however, do not deal with macros frequently, so the rollback means a reduction in security.

It took several days for Microsoft to confirm that the rollback is temporary and that it was necessary to make changes to improve usability. Microsoft said it is still committed to blocking macros by default for users. So, while this is a U-turn, it is just a temporary one.

While automatically blocking macros is important to improve security, it is still strongly recommended to implement a robust email security solution, as macros are not the only way that malware is delivered via email. Also, blocking macros will do nothing to stop phishing emails from being delivered.

With SpamTitan Email Security, phishing and malware threats can be easily blocked. For more information, give the TitanHQ team a call.