{"id":1707,"date":"2022-02-09T20:20:55","date_gmt":"2022-02-10T03:20:55","guid":{"rendered":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/?p=1707"},"modified":"2022-02-09T20:25:22","modified_gmt":"2022-02-10T03:25:22","slug":"microsofts-new-anti-malware-protocol-disabling-internet-macros-by-default","status":"publish","type":"post","link":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/2022\/02\/09\/microsofts-new-anti-malware-protocol-disabling-internet-macros-by-default\/","title":{"rendered":"Microsoft’s New Anti-Malware Protocol: Disabling Internet Macros by Default"},"content":{"rendered":"\n
\"\"
Photo by Ed Hardie via https:\/\/unsplash.com\/@impelling<\/em><\/figcaption><\/figure><\/div>\n\n\n\n

Microsoft recently announced that effective April 2022 all VBA macros retrieved from the web will now be disabled<\/em> by default<\/em> for the following five Windows applications: Excel, Word, Access, Powerpoint, and Visio.<\/p>\n\n\n\n

What is a VBA Macro?<\/h2>\n\n\n\n

A macro<\/strong> <\/em>is a way to record, store, and run a series of commands, most often used to automate repetitive tasks in Office apps. Visual Basic for Applications (VBA)<\/strong> is a programming language used to write Office macros.<\/p>\n\n\n\n

Lots of office workers use VBA macros regularly, including me. At my current job I recently wrote some simple code that links a data entry form to a spreadsheet. The macro is embedded in the actual file and runs whatever code is saved on it, once enabled by the user.<\/p>\n\n\n\n

What’s the Big Deal?<\/h2>\n\n\n\n

Malicious agents can take advantage of this feature by embedding malware in any document that supports VBA. <\/p>\n\n\n\n

The document is then typically shared online or via email in a phishing\/spearphishing1<\/sup> <\/em>campaign. Once the user opens the file and enables macros, the malware executes in the background. This can allow the threat actor access to the user’s stored files, network, personal information, and even gain remote access to their machine. <\/p>\n\n\n\n

Since the malware exists within the Office file, it can spread and embed into other files, and compromise all of the user’s Office documents. Since VBA is compatible with all five Office apps, it can also spread across platforms.<\/p>\n\n\n\n

The Weakness<\/h2>\n\n\n\n

While Microsoft already provides a security prompt to users about macros:<\/p>\n\n\n\n

\"\"
2: Old Warning Prompt<\/a><\/em><\/figcaption><\/figure><\/div>\n\n\n\n

This doesn’t seem to be enough of a deterrent. All a threat actor needs to do is convince the unknowing (non-technical) user to Enable Content via some Social Engineering<\/em>. Once the file is downloaded, the last line of defence between the user and the threat becomes the single click of a mouse.<\/p>\n\n\n\n

\"\"
2: <\/em>Example of basic luring tactic<\/a><\/figcaption><\/figure><\/div>\n\n\n\n

This creates a huge population of vulnerable users since the Office Suite is a common preference for many organizations, public and private. Too often, many users (and some organizations) are not even aware of this risk, making it (in my opinion) the developer’s responsibility to ensure proper safety measures are enacted.<\/p>\n\n\n\n

Microsoft’s Solution<\/h2>\n\n\n\n

As of Version 2203 (incoming this April), all macros in files retrieved from the internet will be blocked by default.<\/strong><\/p>\n\n\n\n

Users will no longer be able to easily Enable Content, and will be notified with the following prompt: <\/p>\n\n\n\n

\"\"
3: <\/em>New Security Prompt<\/a><\/span><\/figcaption><\/figure><\/div>\n\n\n\n

Clicking Learn More<\/a><\/strong> 4<\/sup> links to a web page informing users about the security risks from downloading macros, some safe practices, and how to enable macros once the user is certain the file contents are safe.<\/p>\n\n\n\n

Mark of the Web (MOTW)<\/h2>\n\n\n\n

Any file retrieved from an untrusted source like the internet will be labelled as having the MOTW, automatically blocking all Macros from running. To run Macros, a user must save the file and manually remove<\/a> the MOTW.<\/p>\n\n\n\n

\"\"
3: <\/em>Evaluation Flow with New Default Protocol<\/a><\/span><\/figcaption><\/figure><\/div>\n\n\n\n

To end on some general tips Microsoft offers4<\/sup>:<\/p>\n\n\n\n