Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
The Australian Signals Directorate (ASD) has published a useful list of prioritised cyber mitigation strategies since February 2017. Known as the ASD Essential Eight, there is little doubt in anyone’s mind that these controls reduce incidents. In this blog we’re going to look at disabling office macros.
By configuring your Microsoft Office Macro settings to prevent uncontrolled macros from running, you will significantly reduce your organisation’s attack surface and improve your security posture. Let’s take a look at this mitigation strategy and see what organisations can do to enforce this at an organisational level.
Microsoft Office documents can contain embedded functions written in a special programming language known as Visual Basic for Applications (VBA). VBA can turn simple documents into multifaceted applications offering complex interaction with the user and the processing power of a compiled application. These embedded applications are known as Macros and if you open a Macro in the Visual Basic Editor you’ll immediately see the similarity to Microsoft’s Visual Studio Integrated Development Environment (IDE), which is used by software developers to build even the most complex of Windows applications. For this reason, Macros extend Office users an incredible degree of control over the application interface, but with this level of power, they can also interact with the operating system, making them the perfect transport mechanism for malware.
Many people ask the question why you can’t just switch Macros off? The problem is that many Microsoft Office power users use Macros to automate repetitive tasks, thus making them more productive. Security teams therefore need to strike the right balance between enabling users to be more productive and efficient, while protecting the business from the inevitable malware that comes embedded in harmful Office documents.
Macros that contain harmful code are known as Macro Viruses and they are not a new phenomenon. The oldest (and one of the most written about) Macro virus appeared in 1999 and was called Melissa. Melissa would automatically spread from one computer to another by e-mailing itself to the user’s contacts in their address book.
The problem is that when a malicious macro is executed (often by the action of no more than opening the document), it can start copying itself into other documents, potentially even corrupting valuable corporate data while spreading laterally to other users. These days, harmful Macro code is often used in blended attacks, where clever social engineering techniques are used to craft compelling emails, enticing the user to open the attachment, which contains the harmful VBA. By running the Macro, the user has set off a chain of events that are a precursor to something more insidious, such as dropping keyloggers, Trojans, rootkits or Ransomware onto the user’s device.
In their 2016 Threat Report, ASD reported, “an increasing number of attempts to compromise organisations using social engineering techniques and malicious Microsoft Office macros. The use of these malicious Microsoft Office macros can range from cybercrime to more sophisticated exploitation attempts.”
Why not download our ASD Essential Eight white paper to discover how to build a resilient defence against cyber attacks:
Since the Macro Virus issue has been around for almost two decades, Microsoft has developed several useful security features within Office to help manage the risk. Administrators can configure what are called “trusted locations,” which are places where documents containing VBA are trusted by the operating system and can therefore run. Furthermore, documents themselves can be trusted, however, this can become an administrative burden so is largely discouraged in large enterprises. Trusted locations are better, since they also allow organisations to select a place where sophisticated Microsoft Office documents can execute their embedded code, while prohibiting it in, for example, email attachments or the user’s Downloads folder.
The best approach to mitigating the risks associated with harmful Macros is application signing. VBA developers can use digital certificates to sign their macros, thus confirming they were authored by someone they can trust and that the code itself has not been altered. Digital certificates can be self-generated by users or obtained from a Certificate Authority (either externally or from your internal Public Key Infrastructure).
Note: If you decide to use application signing to prevent malicious Macros from running, you should also disable support for trusted documents and trusted locations.
You’ll find that certain users will want to create and publish Macros, so consider building an internal process that allows them to be issued with a signing certificate, so they can build the signing process into their workflows. You can then add the developer’s certificate to the operating system’s list of Trusted Publishers.
System administrators can enforce Macro security settings using Group Policy, thus overriding the configuration options available to end users within Microsoft Office. Furthermore, once Macros are fully controlled within the organisation, security managers can use the application logs on user workstations to look for any indicators of compromise that might suggest rogue code is attempting to run – this can factor in the organisation’s incident response planning.
VBA introduces a degree of flexibility and power to Office users that significantly extends the standard application capabilities. However, VBA can also be used by attackers to embed harmful code in Microsoft documents.
This is an old problem and something Microsoft tackled almost two decades ago, yet as a threat vector it has never gone away. We’ve now seen a resurgence in VBA encoded malware over the past few years, especially as a vector for Ransomware, so system administrators and security managers need to get to grips with Macro security and introduce mitigations to control the threat.
This control ties well into our recommendations on implementing the ASD Essential Eight migitation strategies and supports our call to action on improving protective monitoring to gain situational awareness across your business environment.
For more information on how protective monitoring can assist in mitigating security threats, check out our infographic:
 The Essential Eight category of User Application Hardening includes controlling of Microsoft Office Macro settings, but isn’t explicitly referenced in the Essential Eight since it’s too specific. However, looking at ASD’s full list of Strategies to Mitigate Cyber Security Incidents, control of Microsoft Office Macros is categorised as Essential.
See https://www.asd.gov.au/publications/Mitigation_Strategies_2017.pdf for more details.
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.