Microsoft says decision to stop blocking Office VBA macros by default is ‘temporary’

Microsoft said its decision to roll back a popular change that blocked Visual Basic for Applications (VBA) macros by default in a variety of Office apps will be “temporary.”

The company faced significant backlash since it announced on Friday that it would be restoring the feature that was instituted earlier this year.

For years, cybersecurity researchers and Microsoft itself said cybercriminals and hackers send macros in Office files to people who unknowingly enable them, allowing malicious payloads to be delivered. In many cases, malware is delivered and there have been countless instances of data theft, remote access, ransomware and more. 

In February, the company said that for macros in files obtained from the internet, users will no longer be able to enable content with a click of a button. 

“A message bar will appear for users notifying them with a button to learn more. The default is more secure and is expected to keep more users safe including home users and information workers in managed organizations,” the company explained in a blog post at the time.

But the company reversed course last week, telling The Record that because of “user feedback,” they decided to roll back the change “temporarily” while they “make some additional changes to enhance usability.”

“This is a temporary change, and we are fully committed to making the default change for all users,” the company said in a statement. 

“We will provide additional details on timeline in the upcoming weeks.”

The spokesperson added that Microsoft customers can still block internet macros through the Group Policy settings page. 

The company would not answer questions about what prompted the change and if it would be restored before the end of the year.

Arctic Wolf’s Ian McShane called the decision “unfortunate and disappointing,” noting that it would have been a huge step forward for securing one of the most tried and tested attack paths. 

He added that malware like Quakbot and Emotet are distributed through these kinds of malicious docs. 

“Whether this was rolled back due to technical concerns or customer feedback, office users are less secure today than they were last week; security teams need to be on high alert, and re-remind users about the risks of active content in office docs,” McShane said. 

“While I was surprised to hear that there were plans to address it with a default macro disable, I’m even more surprised that those plans are being backpedaled. Overall, the question of usability vs. security is a huge problem to solve, but the user hurdle of disabled macros is a far smaller price to pay than picking up the pieces of a successful Emotet attack. This attack path has been a well-known problem for decades and unfortunately, the approach to mitigating the risk of macros has always been on the end user, rather than fix at the source.”

He told The Record that cybersecurity teams should be prepared for a spike in macro based cyber attacks, “now that this attack path has been made easier again.”