System administrators that do not block malicious Word macros in Office 2016 could be making it far too easy for hackers to compromise their networks. Malicious Word macros are nothing new, but in recent months they have been increasingly been used to deliver ransomware and other nasty malware.

Macros Used in 98% of Office-related Enterprise Malware Attacks

It is common knowledge that executable files are used to deliver malware. Many companies implement a web filter to prevent the downloading of executable files by end users, and spam filters are often configured to prevent attached .exe files from being delivered.

Screensaver files (.SCR) are also commonly used to deliver malware and these too are often blocked by security solutions. Blocking other file types commonly used by attackers, such as batch files (.bat) and compressed files (.zip) can also help to reduce the risk of a malware infection. For the majority of enterprise end users, these files can be blocked without affecting workflows.

However, it is not practical prevent Word documents and other Office files from being emailed or shared. These file types are used by most workers on a day to day basis. They are also being extensively used to deliver malware. According to figures released by Microsoft, office document macros are used in 98% of Office-related attacks on enterprises.

Fail to Block Malicious Word Macros in Office 2016 at your Peril!

There have been a number of recent cases of ransomware being installed after enabling Word macros. Hackers can add malicious scripts to Word macros and install malware without rousing too much suspicion. Word documents are often trusted not to be malicious by many end users.

After a rise in the use of macros to deliver computer viruses, Microsoft made a change to automatically disable macros in Word by default. Opening a Word document therefore required users to manually enable macros before they could be run.

The use of macro viruses went into rapid decline after this security measure was introduced because macros ceased to be a particularly effective method of malware delivery. That was about a decade ago.

However, recently there has been a surge in the use of embedded VBA scripts to deliver malware. Even when system administrators block malicious Word macros in Office 2016 it does not prevent infection. End users are enabling macros in order to open Word documents after being convinced to do so by attackers.

Enterprise end users are sent spam emails containing infected Word documents and are fooled into enabling macros in order to view the documents. When end users open the infected files they are presented with a warning message saying the content of the document cannot be viewed without first enabling macros. The end user does just that, and the malicious VBA script is run. That script then opens a connection to the hackers C&C server and malware is downloaded to the user’s device.

IT departments can conduct training and tell end users to never enable macros, but sooner or, later, one individual will ignore that advice and will inadvertently install malware. Many businesses use macros in their office files, so blocking them from running is simply not an option. So how can businesses block malicious Word macros in Office 2016 without having to stop using macros in documents altogether? Fortunately, Microsoft has come up with a cunning solution.

Microsoft Makes It Easier to Block Malicious Word Macros

Microsoft has responded to the wave of malicious macro attacks by developing a better solution than the one introduced more than a decade ago. A new setting has been added to make it possible to block malicious Word macros in Office 2016 while still being able to use genuine macros. The good news for system administrators is the settings cannot be bypassed by end users who think they know better than their IT department.

System administrators can now apply a group setting that will block macros in Office files that have been obtained from the Internet zone. Microsoft’s definition of the Internet zone includes documents attached to emails that have been sent from outside an organization, as well as documents obtained from cloud storage providers such as Google Drive and Dropbox and from file sharing websites.

Opening and attempting to run macros from these sources will result in a warning being presented to the user saying their system administrator has blocked macros for security reasons. They will not be given the option of bypassing those settings and running the macros. The new setting can be found in the Microsoft Trust Center in the security settings of Word.