Despite periodic lulls, infections for the top 20 most detected macro-based malware were high over the past three months, according to Microsoft—and the computing giant has vowed to do something about it, in the form of a blocker for Word, Excel and PowerPoint documents.
In the enterprise, data from the Office 365 Advanced Threat Protection service indicates 98% of Office-targeted threats use macros. So, Microsoft is releasing a new feature in Office 2016 that blocks macros from loading in certain high-risk scenarios.
“The enduring appeal for macro-based malware appears to rely on a victim’s likelihood to enable macros,” the Redmond behemoth said in a blog. “Previous versions of Office include a warning when opening documents that contain macros, but malware authors have become more resilient in their social engineering tactics, luring users to enable macros in good faith and ending up infected.
The new tactical feature in Office 2016 can help enterprise administrators prevent the risk from macros by allowing an enterprise to selectively scope macro use to a set of trusted workflows. It also allows admins to block easy access to enable macros in scenarios considered high risk, and it can provide end users with a different and stricter notification so it is easier for them to distinguish a high-risk situation against a normal workflow.
The feature can be controlled via Group Policy and configured per application.
High-risk scenarios include documents downloaded from internet websites or consumer storage providers (like OneDrive, Google Drive, and Dropbox); documents attached to emails that have been sent from outside the organization (where the organization uses the Outlook client and Exchange servers for email); and documents opened from public shares hosted on the internet (such as files downloaded from file-sharing sites).
“This feature relies on the security zone information that Windows uses to specify trust associated with a specific location,” Microsoft said. “For example, if the location where the file originates from is considered the internet zone by Windows, then macros are disabled in the document. Users with legitimate scenarios that are impacted by this policy should work with their enterprise administrator to identify alternative workflows that ensure the file’s original location is considered trusted within the organization.”
Photo © denizen/Shutterstock.com