Microsoft has pulled back on its decision to block downloaded Excel files containing macros by default. They have said they will push this change out again in the future. If you were caught flat-footed by this decision and suddenly couldn’t figure out how to unblock your Excel files that you relied upon, you need to act before Microsoft rolls this out again. Evaluate now why you are allowing such risky behavior and how you can better protect your firm.
While Microsoft pulled back from this decision, I urge you to look for additional ways to protect users from phishing lures and attack vectors that include malicious Office files. Because many of these attacks come via email, but not necessarily as email attachments, evaluate whether your phishing protection and user education are appropriate. I’ve seen many a phishing lure come in via web links, pretend cloud services, and other techniques that bypass traditional antivirus and file filtering.
Educate users on file sharing, suspicious file processes
Educate your users on how your cloud file-sharing services work and which ones are normal processes for your firm. Empower them to not open files and have a process for them to request review and evaluation of suspected files. Standardizing on a browser process that screens files proactively will ensure that many such phishing lures are blocked from your users.
Limit access to Excel macros and Office applications
Determine who in your office truly needs access to Excel macros. Set up Group Policy restrictions to limit access only to those users and organizational units that need them. Stratify your firm and user roles as to who needs macros and who does not. Chances are that not everyone in your firm needs – or uses – Excel or even macros. The Office Deployment Tool (ODT) allows you to customize who in your firm has access to which applications in the Office suite. Not everyone in your organization needs access to every Office application. Use the tool to customize your deployment. Structure your organizational units and deployment processes with a limitation mindset: Only deploy software to those users that need the ability to use a particular platform.
Next set the policies for macros for the applications that you wish to limit. Enable “Protected” to block running macros in files obtained from the internet. Download the ADMX files from Microsoft and install the version of templates depending on whether you have deployed 32 bit or 64 bit versions of Office.
Each Office application has a specific Group Policy setting. You need to look under the following locations: User Configuration then under Policies then under Administrative Templates:
- For Access look under Microsoft Access 2016\Application Settings\Security\Trust Center.
- For Excel look under Microsoft Excel 2016\Excel Options\Security\Trust Center.
- For PowerPoint look under Microsoft PowerPoint 2016\PowerPoint Options\Security\Trust Center.
- For Visio Microsoft Visio 2016\Visio Options\Security\Trust Center.
- For Word Microsoft Word 2016\Word Options\Security\Trust Center.
To determine what files these changes will impact, use the Readiness Toolkit (download version 1.2.22161). From a command prompt go to the folder where you installed the Readiness Toolkit and run the ReadinessReportCreator.exe command with the blockinternetscan option. For example: ReadinessReportCreator.exe -blockinternetscan -p c:\officefiles\ -r -output \\server01\finance -silent
Review the need and settings for older Excel macros
Microsoft has provided a setting to block Excel 4.0 (XLM) macros by default as the first step in making the process more secure for enterprises. As noted in January, you can manage the setting. You can set a policy to re-enable XLM macros. However, you should question why you need an older macro process that has since been replaced with newer technologies. Are there files that still depend on 4.0 versions?
Use Group Policy, Office cloud policy service (OCPS), or other endpoint management tools to control the use of XLM macros. Beginning with Excel build 16.0.14427.10000, XLM 4.0 macros are now disabled. Use the Group Policy setting located by following this selection sequence
- “Group Policy Path: User configuration”
- “Administrative templates”
- “Microsoft Excel 2016”
- “Excel Options”
- “Trust Center”
To control it at the registry level, look for registry key path:
XLM is disabled by default in the September fork, version 16.0.14527.20000+. It’s also disabled in:
- Current Channel builds 2110 or greater (first released in October)
- Monthly Enterprise Channel builds 2110 or greater (first released in December)
- Semi-annual Enterprise Channel (Preview) builds 2201 or greater (Microsoft created the policy in January 2022, but it first shipped in March 2022)
- Semi-annual Enterprise Channel builds 2201 or greater (will ship July 2022)
Review what channel you are deploying and be aware of when these blocking rules will be deployed.
Enable tamper protection
Enable tamper protection features to prevent attackers from disabling security services to then bypass detections. You should also enable attack surface reduction (ASR) rules as they can limit lateral movement. For ASR rules, review the following:
Microsoft has provided a reprieve to determine the impact of blocking Office macros on your organization. Use the time to plan better for blocking macros by default.