Microsoft does not want to block macros in Office by default after all

[German]Macros in Office are a gateway for malware like Dridex, Emotet, Trickbot, Qbot, etc. Microsoft had plans to disable macros in Office 365 by default. Now this idea seems to have been scrapped again, macros will not be blocked by default in Office in the future either. At least, that's what Microsoft's told us recently within a few sentences.


Roadmap for blocking macros

There is an old Office roadmap from Microsoft that deals with the issue. The following screenshot still shows the announcement from February 8, 2022, which states that Microsoft Office wants to change the behavior of blocking macros from files downloaded via the Internet for security reasons.

Roadmap: Blocking VBA-Macros in Office

The details ar explained in more detail in the Techcommunity article Helping users stay safe: Blocking internet macros by default in Office. There it said in February 2022:

We're introducing a default change for five Office apps that run macros:

VBA macros obtained from the internet will now be blocked by default

For macros in files obtained from the internet, users will no longer be able to enable content with a click of a button. A message bar will appear for users notifying them with a button to learn more. The default is more secure and is expected to keep more users safe including home users and information workers in managed organizations.

This change should only affect Office on devices running Windows and only the following applications: Access, Excel, PowerPoint, Visio, and Word. The change was to be rolled out with version 2203 for the aforementioned applications, starting with the Current Channel (Preview) in early April 2022. Later, this change was also planned to be rolled out in the other update channels like the Current Channel, Monthly Enterprise Channel and Semi-Annual Enterprise Channel and they even wanted to roll this out to Office LTSC, Office 2021, Office 2019, Office 2016 and Office 2013.

Backing down on Office Macro blockade

I hadn't noticed the whole thing, but the colleagues from Bleeping Computer had mentioned it here in February 2022. However, the roadmap above shows a reference to a modification on July 7, 2022. The colleagues from Bleeping Computer noticed this and they point out on Twitter as well as in this article that Microsoft is backing down.


No Macro blocking in Office

Microsoft must have announced this on July 7, 2022 in the Microsoft 365 Message Center (at MC393185 or MC322553) to customers who manage related products. Bleeping Computer quotes the following (I don't have access to the Microsoft 365 Message Center):

Based on feedback, we're rolling back this change from Current Channel. We appreciate the feedback we've received so far, and we're working to make improvements in this experience. We'll provide another update when we're ready to release again to Current Channel. Thank you.

So, according to Bleeping Computer, the blocking of VBA macros in Office applications where it has already been rolled out is being rolled back. This was probably bumped up on July 6, 2022 by a user who asked on Techcommunity in the original article if the feature had been rolled back.

Is it just me or have Microsoft rolled this change back on the Current Channel?

I was trying to reproduce the pinkish-red 'Security Risk… Learn More' notification in the Message Bar, in preparation for demonstrating the new default behaviour for a YouTube video I'm putting together about my company's macro-enabled toolkit.

Created a simple .xlsm to show a MsgBox in the open event of the workbook, saved it and uploaded it to cloud storage, deleted it from my local storage, re-downloaded it from cloud storage (to a non-trusted location, my Downloads library)… did not use the Unblock checkbox on the Properties dialog to remove the mark of the web… then opened up the file.

It first went into Protected View (expected behaviour), but then after I clicked Enable Editing, instead of getting the pink/red message about macros being blocked altogether, I just got the old 'Security warning…' message with the 'Enable Content' button. The file's VBA project wasn't digitally signed, wasn't saved to a Trusted Location, and still had the mark of the web on it… so macros should have been blocked.

I also tried uploading it and re-downloading it from our Sharepoint document library, emailing it to my work address from my personal address, opening it directly from the attachment… still macros weren't blocked entirely. Even tried downloading an .xlsm from the internet that I hadn't created (from a known trustworthy source) that my installation of Office had never encountered before, so that it definitely wasn't a Trusted Document… and STILL macros weren't blocked.

It feels like something has undone this new default behaviour very recently… maybe Microsoft Defender is overruling the block?

I'm loathed to clear my Trusted Documents in an effort to trigger the red macro block message, just for the sake of the video, but I'm not sure what else to try at this point.

Microsoft employee Angela Robertson then confirmed in another comment that the deactivation of Macros had been rolled back based on the feedback. There is currently no further explanation from Microsoft. Users are not really thrilled about the communication from Redmond regarding this issue.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Office, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *