Tricking someone into enabling macros on a downloaded Microsoft Excel or Word file is an old hacker chestnut. That one click from a target creates a foothold for attackers to take over their devices. This week, though, Microsoft announced a seemingly minor tweak with massive implications: Beginning in April, macros will be disabled by default in files downloaded from the internet.
Macros are small pieces of software used to automate tasks like data collection without the need to develop additional tools or applications. They can be written directly in Microsoft's Visual Basic for Applications programming language, or set up through translation tools that will turn a series of steps into a VBA macro, no coding skills required. Businesses rely on them heavily, especially those with legacy infrastructure, and they play a crucial role in everything from financial services to government organizations. But as an individual Microsoft 365 user, it's not unusual if your only interaction with macros has been clicking that pesky “allow” button—or knowing avoidance.
For attackers, being able to write little programs within massive, trusted applications like Excel or Word creates the opportunity to develop what are essentially macro viruses. Bad actors can also craft these programs to automatically download and run additional malware on victim devices. As a result, whether you use the feature in your daily life or not, everyone has faced risk from it for decades, making Microsoft's move this week all the more significant.
“A few years from now, we’ll look back on this announcement as the single biggest change Microsoft made for mitigating threat actor initial access,” says incident responder and former NSA hacker Jake Williams. “Your apex-grade threat actors or the NSO Groups of the world aren't using this stuff anymore anyway, but this will impact scammers, ransomware groups, and other criminals for sure.”
At least a quarter of ransomware attacks against businesses or other organizations start with phishing attempts, which often dangle a malicious document laced with tainted macros, according to Brett Callow, a threat analyst at the antivirus company Emsisoft.
“I’m very happy about Microsoft's announcement,” Callow says. “Cybercriminals, on the other hand, will be far from happy. Really, the change was long overdue.”
“We are always working to improve security,” said a Microsoft spokesperson in a statement. “Our products currently provide a warning to all customers that requires them to click before running macros from the internet. This new feature goes even further with an extra step to protect customers in everyday scenarios.” The company declined to say specifically why it took the step now and had not done it sooner.
The answer likely involves the tension between the needs of Microsoft's big, macros-dependent customers and the desire to tamp down macros-related attacks once and for all. In Windows 10 and 11, a feature called Microsoft Defender Application Guard has made it much more difficult for attackers to get meaningful access from what would have previously been successful macros-related attacks. But Application Guard is mostly intended for enterprise devices, and many consumer Windows computers still don't support it. And in general, the vast universe of old and outdated Windows devices keeps trucking without advanced defenses.