Macros are small programs that can be embedded in Office documents, such as Word or Excel files. They can automate tasks, such as inserting text or images, performing calculations, or printing documents. While macros can be helpful, they can also pose a security risk. Malicious macros can be used to install malware, steal sensitive information, or modify the registry settings on a victim’s computer. For example, a macro might download and run a malicious program that encrypts files on the victim’s computer, making them inaccessible. Macros allow cyber criminals to perform various types of cyber attacks on the target. Unfortunately, it is more often to see malware authors abuse macros to do nasty things. Now, it’s become essential to block macros in office documents, especially the ones downloaded from the Internet.
To protect yourself from such attacks, it’s important to be aware of the risks associated with macros and to take steps to mitigate those risks. We have published this post to let you know how to manually auto block macros in office documents downloaded from the Internet.
In fact, Microsoft took a proactive approach to block macros in office documents from the Internet. In Feb 2022, It announced that it is going to block macros in all the office documents marked as Mark-of-the-Web (MoTW) from June 2022 as a default setting. Unfortunately.
Unfortunately, without valid justification, Microsoft has rolled back the settings and removed the blocks leaving the users of Microsoft Office at risk of malware infections. However, Microsoft has left a note that this rollback is temporary; blocks will be imposed soon. Microsoft didn’t reveal the exact rollback time. Now it is the responsibility of the users to decide whether they truly need to set the block. If you are the one who wants to know how to manually auto block macros in office documents downloaded from the Internet, follow the next section.
Before we jump right in to know how to auto-block macros in office documents, it is good to know about a feature in Windows called ‘Mark of the Web’. Here, Microsoft is not talking about imposing blocks on any documents. It is talking about the documents marked as Mark of the Web.
Mark of the Web is a markup that can be added to HTML files, Office documents, and other types of files. It tells the Windows or a web browser and other applications such as Microsoft Office how to handle those files when they’re downloaded from the Internet. When a file is downloaded to a device running Windows, a Mark of the Web (MOTW) attribute is added to the file, identifying its source as being from the Internet.
When Windows sees the Mark of the Web attribute in a file, it displays additional warnings to the user to run the file. In the same way, when Microsoft Office sees the Mark of the Web attribute on its documents like Word or Excel files, it opens the documents in a protected view with a warning message that the document may contain Viruses or other malware.
You might have noticed such security warnings several times and ignored them. We can’t say all the files with such security warnings are infected with malware, but there could be a risk.
It is easy to block macros in office documents from the Internet. The implementation may need to tweak a change in the group policy. Microsoft has had a group policy named ‘Block macros from running Office files from the Internet’ since office v2016. Enabling the policy will stop macros from being executed in office documents. All you need to do is install the Microsoft Office group policy and enable the ‘Block macros from running Office files from the Internet’ policy for each application like Word, Excel, PowerPoint, Access, and so…
When you enable the policy and set the auto-block macros in office documents, a security risk message will appear on the document.
Open the Group Policy Management, expand the domain, Right Click on the Group Policy Object, and select New.
You can choose your desired name to create the Policy Object.
Since Administrative Templates are not loaded by default, we want you to download and install the Administrative Templates for Microsoft Office Group Policies. In this demo, Microsoft Office suite.
Expand the application that is Microsoft Word and select Word Options to locate the ‘Block macros from running Office files from the Internet’ policy.
Edit the policy and select the Enabled radio button. Hit OK, as shown in the below picture.
Make sure the policy is enabled. This is what you can see after you enable the policy on the Domain Group Policy.
This is how you can enable the ‘Block macros from running Office files from the Internet’ policy to set auto-block macros in Office documents.
Note: A new Registry named ‘blockcontentexecutionfrominternet‘ will get created and set to value ‘1‘ upon enabling the ‘Block macros from running Office files from the Internet’ policy. You can see the registry under the HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\[office version]\[office application]\security key.
In this demo, HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\16.0\word\security\blockcontentexecutionfrominternet”=dword:00000001
If in case the document you have is a trusted one and you don’t want to see the security warning and run the macro each time you open the file. You can do this by removing the Mark of the Web attribute in the document. To remove, go to the general properties of the document and click on the Unblock button in the security section, then hit Apply.
Mark of the Web is not a security measure on its own, but it can be used as part of a larger security strategy. For example, you could use Mark of the Web in conjunction with disabling macros or setting your security settings to only allow signed macros to run.
We hope this post would help you know how to manually auto-block macros in office documents downloaded from the Internet. Please share this post and help secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
You may also like these articles:
How To Fix CVE-2022-30190- A Zero-Click RCE Vulnerability In MSDT
How to Protect Your Windows PC from 'Inno Stealer'- A Fake Windows Update Installer
A New MSBuild Fileless Malware Campaign in Which Threat Actors Used MSBuild to Deliver RATs
What is Fileless Malware? How to Protect Against Fileless Malware?
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.