Microsoft seems to have quietly, and with out fanfare, reversed a February 2022 coverage to dam Visible Fundamental for Purposes (VBA) macros by default throughout 5 of probably the most used Workplace functions, citing unfavourable person suggestions.
The brand new coverage was initially launched on the premise that by making it inconceivable for customers to allow macros by clicking a button by throwing further click-throughs and reminders of their path, it will make it tougher for risk actors to trick them into opening malicious attachments containing malware payloads. The change was made at the least partially due to the continued prevalence of distant working.
Nonetheless, as first reported by Bleeping Pc, Redmond now seems to have put the brakes on the coverage and begun a rollback – which can but show short-term.
The rollback was first noticed by Microsoft customers puzzled as to why the previous safety warning had reappeared on paperwork containing VBA macros, versus the brand new block discover that they have been changing into used to.
UK-based person Vince Hardwick was first to question the change on Microsoft’s Tech Group boards after working into difficulties trying to show the brand new coverage for a YouTube video he was making.
Responding to Hardwick’s question on the boards, Angela Robertson, Microsoft 365 Workplace Product Group principal GPM for identification and safety, mentioned: “Primarily based on suggestions acquired, a rollback has began. An replace in regards to the rollback is in progress. I apologise for any inconvenience of the rollback beginning earlier than the replace in regards to the change was made accessible.”
Different customers, together with Hardwick, voiced frustration that Microsoft had failed to speak the rollback to them.
The character of the suggestions that Robertson referred to is unclear, but when the choice to rollback is certainly based mostly on person suggestions, it’s unlikely to be the suggestions of the safety neighborhood, which had typically welcomed the transfer within the hope that it will enhance organisational safety by slicing off a simple means for cyber criminals to determine preliminary entry into their targets, ie by emailing them malicious paperwork or spreadsheets.
Safety specialists have already responded, describing Microsoft’s transfer as a “horrible concept” and a “bizarre resolution”:
This can be a horrible concept. I’ve misplaced observe of the variety of campaigns I noticed focusing on civil society that used workplace macros to put in malware. https://t.co/fVv4QilzwB
– Eva (@evacide)
July 8, 2022
What on the planet? Bizarre resolution right here by Microsoft to roll again its resolution to dam VBA macros by default. The change had already begun to affect risk actor behaviors to make use of different issues. Alas. https://t.co/9LCA0ZCuid
– Selena (@selenalarson)
July 8, 2022
Within the quick interval because the change started to roll out, loads of proof has certainly stacked up that the change was forcing risk actors to evolve their ways, strategies and procedures (TTPs).
On the finish of April, Proofpoint reported that the group behind the Emotet botnet had turned to utilizing tainted OneDrive URLs as a substitute of macro-enabled attachments, seemingly as a result of blocking macros by default makes it tougher for the typical person to fall for the trick.
Then in June, Examine Level reported that the Snake Keylogger was capturing again up its month-to-month risk charts following a variety of novel e mail campaigns that noticed it distributed in a tainted PDF file – traditionally, Snake had arrived in Phrase paperwork or Excel spreadsheets.
Pc Weekly contacted Microsoft to hunt additional clarification on the character of the rollback, however had not acquired a response on the time of writing.