Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
The Australian Signals Directorate (ASD) has published a useful list of prioritised cyber mitigation strategies since February 2017. Known as the ASD Essential Eight, there is little doubt in anyone’s mind that these controls reduce incidents. In this blog we’re going to look at disabling office macros.
By configuring your Microsoft Office Macro settings to prevent uncontrolled macros from running, you will significantly reduce your organisation’s attack surface and improve your security posture. Let’s take a look at this mitigation strategy and see what organisations can do to enforce this at an organisational level.
Microsoft Office documents can contain embedded functions written in a special programming language known as Visual Basic for Applications (VBA). VBA can turn simple documents into multifaceted applications offering complex interaction with the user and the processing power of a compiled application. These embedded applications are known as Macros and if you open a Macro in the Visual Basic Editor you’ll immediately see the similarity to Microsoft’s Visual Studio Integrated Development Environment (IDE), which is used by software developers to build even the most complex of Windows applications. For this reason, Macros extend Office users an incredible degree of control over the application interface, but with this level of power, they can also interact with the operating system, making them the perfect transport mechanism for malware.
Many people ask the question why you can’t just switch Macros off? The problem is that many Microsoft Office power users use Macros to automate repetitive tasks, thus making them more productive. Security teams therefore need to strike the right balance between enabling users to be more productive and efficient, while protecting the business from the inevitable malware that comes embedded in harmful Office documents.
Macros that contain harmful code are known as Macro Viruses and they are not a new phenomenon. The oldest (and one of the most written about) Macro virus appeared in 1999 and was called Melissa. Melissa would automatically spread from one computer to another by e-mailing itself to the user’s contacts in their address book.
The problem is that when a malicious macro is executed (often by the action of no more than opening the document), it can start copying itself into other documents, potentially even corrupting valuable corporate data while spreading laterally to other users. These days, harmful Macro code is often used in blended attacks, where clever social engineering techniques are used to craft compelling emails, enticing the user to open the attachment, which contains the harmful VBA. By running the Macro, the user has set off a chain of events that are a precursor to something more insidious, such as dropping keyloggers, Trojans, rootkits or Ransomware onto the user’s device.
In their 2016 Threat Report, ASD reported, “an increasing number of attempts to compromise organisations using social engineering techniques and malicious Microsoft Office macros. The use of these malicious Microsoft Office macros can range from cybercrime to more sophisticated exploitation attempts.”
Why not download our ASD Essential Eight white paper to discover how to build a resilient defence against cyber attacks:
Since the Macro Virus issue has been around for almost two decades, Microsoft has developed several useful security features within Office to help manage the risk. Administrators can configure what are called “trusted locations,” which are places where documents containing VBA are trusted by the operating system and can therefore run. Furthermore, documents themselves can be trusted, however, this can become an administrative burden so is largely discouraged in large enterprises. Trusted locations are better, since they also allow organisations to select a place where sophisticated Microsoft Office documents can execute their embedded code, while prohibiting it in, for example, email attachments or the user’s Downloads folder.
The best approach to mitigating the risks associated with harmful Macros is application signing. VBA developers can use digital certificates to sign their macros, thus confirming they were authored by someone they can trust and that the code itself has not been altered. Digital certificates can be self-generated by users or obtained from a Certificate Authority (either externally or from your internal Public Key Infrastructure).
Note: If you decide to use application signing to prevent malicious Macros from running, you should also disable support for trusted documents and trusted locations.
You’ll find that certain users will want to create and publish Macros, so consider building an internal process that allows them to be issued with a signing certificate, so they can build the signing process into their workflows. You can then add the developer’s certificate to the operating system’s list of Trusted Publishers.
System administrators can enforce Macro security settings using Group Policy, thus overriding the configuration options available to end users within Microsoft Office. Furthermore, once Macros are fully controlled within the organisation, security managers can use the application logs on user workstations to look for any indicators of compromise that might suggest rogue code is attempting to run – this can factor in the organisation’s incident response planning.
VBA introduces a degree of flexibility and power to Office users that significantly extends the standard application capabilities. However, VBA can also be used by attackers to embed harmful code in Microsoft documents.
This is an old problem and something Microsoft tackled almost two decades ago, yet as a threat vector it has never gone away. We’ve now seen a resurgence in VBA encoded malware over the past few years, especially as a vector for Ransomware, so system administrators and security managers need to get to grips with Macro security and introduce mitigations to control the threat.
This control ties well into our recommendations on implementing the ASD Essential Eight migitation strategies and supports our call to action on improving protective monitoring to gain situational awareness across your business environment.
For more information on how protective monitoring can assist in mitigating security threats, check out our infographic:
 The Essential Eight category of User Application Hardening includes controlling of Microsoft Office Macro settings, but isn’t explicitly referenced in the Essential Eight since it’s too specific. However, looking at ASD’s full list of Strategies to Mitigate Cyber Security Incidents, control of Microsoft Office Macros is categorised as Essential.
See https://www.asd.gov.au/publications/Mitigation_Strategies_2017.pdf for more details.
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
The ongoing protection of Critical Infrastructure from cyber-attacks has implications for us all – whether it’s supporting our health, well-being or simply our way of life, there is good reason to reflect on the effectiveness your cyber security. Cyber security risks are nothing new and the vulnerability of critical infrastructure to them (and the heightened […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.