• Home
  • |
  • Blog
  • |
  • How To Auto Block Macros In Office Documents Downloaded From The Internet
How to Auto Block Macros in Office Documents Downloaded from the Internet

Macros are small programs that can be embedded in Office documents, such as Word or Excel files. They can automate tasks, such as inserting text or images, performing calculations, or printing documents. While macros can be helpful, they can also pose a security risk. Malicious macros can be used to install malware, steal sensitive information, or modify the registry settings on a victim’s computer. For example, a macro might download and run a malicious program that encrypts files on the victim’s computer, making them inaccessible. Macros allow cyber criminals to perform various types of cyber attacks on the target. Unfortunately, it is more often to see malware authors abuse macros to do nasty things. Now, it’s become essential to block macros in office documents, especially the ones downloaded from the Internet.

To protect yourself from such attacks, it’s important to be aware of the risks associated with macros and to take steps to mitigate those risks. We have published this post to let you know how to manually auto block macros in office documents downloaded from the Internet.

In fact, Microsoft took a proactive approach to block macros in office documents from the Internet. In Feb 2022, It announced that it is going to block macros in all the office documents marked as Mark-of-the-Web (MoTW) from June 2022 as a default setting. Unfortunately. 

Unfortunately, without valid justification, Microsoft has rolled back the settings and removed the blocks leaving the users of Microsoft Office at risk of malware infections. However, Microsoft has left a note that this rollback is temporary; blocks will be imposed soon. Microsoft didn’t reveal the exact rollback time. Now it is the responsibility of the users to decide whether they truly need to set the block. If you are the one who wants to know how to manually auto block macros in office documents downloaded from the Internet, follow the next section. 

What Is Mark-Of-The-Web (MoTW) In Microsoft Office?

Before we jump right in to know how to auto block macros in office documents, it is good to know about a feature in Windows called ‘Mark of the Web’. Here, Microsoft is not talking about imposing blocks on any documents. It is talking about the documents marked as Mark of the Web.

Mark of the Web is a markup that can be added to HTML files, Office documents, and other types of files. It tells the Windows or a web browser and other applications such as Microsoft Office how to handle those files when they’re downloaded from the Internet. When a file is downloaded to a device running Windows, a Mark of the Web (MOTW) attribute is added to the file, identifying its source as being from the Internet.

When Windows sees the Mark of the Web attribute in a file, it displays additional warnings to the user to run the file. In the same way, when Microsoft Office sees the Mark of the Web attribute on its documents like Word or Excel files, it opens the documents in a protected view with a warning message that the document may contain Virus or other malware.

You might have noticed such security warnings several times and ignored them. We can’t say all the files with such security warnings are infected with malware, but there could be a risk.

How To Auto Block Macros In Office Documents Downloaded From The Internet?

It is easy to block macros in office documents from the Internet. The implementation may need to tweak a change in the group policy. Microsoft has had a group policy named ‘Block macros from running Office files from the Internet’ since office v2016. Enabling the policy will stop macros from being executed in office documents. All you need to do is install the Microsoft Office group policy and enable the ‘Block macros from running Office files from the Internet’ policy for each application like Word, Excel, PowerPoint, Access, and so…

When you enable the policy and set the auto block macros in office documents, a security risk message will appear on the document. 

Time needed: 10 minutes.

How to Auto Block Macros in Office Documents Downloaded from the Internet?

  1. Create a Domain Group Policy Object.

    Open the Group Policy Management, expand the domain, Right Click on the Group Policy Object, and select New.

    Create a Domain Group Policy Object

  2. Create a Group Policy named ‘AutoBlockMacros’.

    You can choose your desired name to create the Policy Object.

    Create a Group Policy named 'AutoBlockMacros'

  3. Edit the Group Policy Object (GPO ) created in Step 2.

    Edit the Group Policy Object

  4. Download and install the Administrative Templates for Microsoft Office Group Policies.



    Since Administrative Templates are not loaded by default, we want you to download and install the Administrative Templates for Microsoft Office Group Policies. In this demo, Microsoft Office suite.

    Download and install the Administrative Templates for Microsoft Office Group Policies

  5. Locate the ‘Block macros from running Office files from the Internet’ policy.

    Expand the application that is Microsoft Word and select Word Options to locate the ‘Block macros from running Office files from the Internet’ policy.

    Locate the 'Block macros from running Office files from the Internet' policy

  6. Enable the ‘Block macros from running Office files from the Internet’ policy

    Edit the policy and select the Enabled radio button. Hit OK, as shown in the below picture.

    Enable the 'Block macros from running Office files from the Internet' policy

  7. The ‘Block macros from running Office files from the Internet’ policy enabled

    Make sure the policy is enabled. This is what you can see after you enable the policy on the Domain Group Policy.

    The 'Block macros from running Office files from the Internet' policy enabled

This is how you can enable the ‘Block macros from running Office files from the Internet’ policy to set auto block macros in Office documents.

Note: A new Registry named ‘blockcontentexecutionfrominternet‘ will get created and set to value ‘1‘ upon enabling the ‘Block macros from running Office files from the Internet’ policy.  You can see the registry under the HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\[office version]\[office application]\security key.

In this demo, HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\16.0\word\security\blockcontentexecutionfrominternet”=dword:00000001

How To Remove The Mark Of The Web Attribute In The Document?

If in case the document you have is a trusted one and you don’t want to see the security warning and run the macro each time you open the file. You can do this by removing the Mark of the Web attribute in the document. To remove, go to the general properties of the document and click on the Unblock button in the security section, then hit Apply

Wrap Up

Mark of the Web is not a security measure on its own, but it can be used as part of a larger security strategy. For example, you could use Mark of the Web in conjunction with disabling macros or setting your security settings to only allow signed macros to run.

We hope this post will help you know how to manually auto block macros in office documents downloaded from the Internet. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this. 

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.