Microsoft's reversal of its blocking by default on Excel macros creates an opportunity to improve policies and processes around Excel and Office macro use. Credit: Microsoft Microsoft has pulled back on its decision to block downloaded Excel files containing macros by default. They have said they will push this change out again in the future. If you were caught flat-footed by this decision and suddenly couldn’t figure out how to unblock your Excel files that you relied upon, you need to act before Microsoft rolls this out again. Evaluate now why you are allowing such risky behavior and how you can better protect your firm.While Microsoft pulled back from this decision, I urge you to look for additional ways to protect users from phishing lures and attack vectors that include malicious Office files. Because many of these attacks come via email, but not necessarily as email attachments, evaluate whether your phishing protection and user education are appropriate. I’ve seen many a phishing lure come in via web links, pretend cloud services, and other techniques that bypass traditional antivirus and file filtering.Educate users on file sharing, suspicious file processesEducate your users on how your cloud file-sharing services work and which ones are normal processes for your firm. Empower them to not open files and have a process for them to request review and evaluation of suspected files. Standardizing on a browser process that screens files proactively will ensure that many such phishing lures are blocked from your users. Limit access to Excel macros and Office applicationsDetermine who in your office truly needs access to Excel macros. Set up Group Policy restrictions to limit access only to those users and organizational units that need them. Stratify your firm and user roles as to who needs macros and who does not. Chances are that not everyone in your firm needs – or uses – Excel or even macros. The Office Deployment Tool (ODT) allows you to customize who in your firm has access to which applications in the Office suite. Not everyone in your organization needs access to every Office application. Use the tool to customize your deployment. Structure your organizational units and deployment processes with a limitation mindset: Only deploy software to those users that need the ability to use a particular platform. Next set the policies for macros for the applications that you wish to limit. Enable “Protected” to block running macros in files obtained from the internet. Download the ADMX files from Microsoft and install the version of templates depending on whether you have deployed 32 bit or 64 bit versions of Office.Each Office application has a specific Group Policy setting. You need to look under the following locations: User Configuration then under Policies then under Administrative Templates: For Access look under Microsoft Access 2016Application SettingsSecurityTrust Center.For Excel look under Microsoft Excel 2016Excel OptionsSecurityTrust Center.For PowerPoint look under Microsoft PowerPoint 2016PowerPoint OptionsSecurityTrust Center.For Visio Microsoft Visio 2016Visio OptionsSecurityTrust Center.For Word Microsoft Word 2016Word OptionsSecurityTrust Center.To determine what files these changes will impact, use the Readiness Toolkit (download version 1.2.22161). From a command prompt go to the folder where you installed the Readiness Toolkit and run the ReadinessReportCreator.exe command with the blockinternetscan option. For example: ReadinessReportCreator.exe -blockinternetscan -p c:officefiles -r -output server01finance -silentReview the need and settings for older Excel macrosMicrosoft has provided a setting to block Excel 4.0 (XLM) macros by default as the first step in making the process more secure for enterprises. As noted in January, you can manage the setting. You can set a policy to re-enable XLM macros. However, you should question why you need an older macro process that has since been replaced with newer technologies. Are there files that still depend on 4.0 versions?Use Group Policy, Office cloud policy service (OCPS), or other endpoint management tools to control the use of XLM macros. Beginning with Excel build 16.0.14427.10000, XLM 4.0 macros are now disabled. Use the Group Policy setting located by following this selection sequence “Group Policy Path: User configuration”“Administrative templates”“Microsoft Excel 2016”“Excel Options”“Security”“Trust Center”To control it at the registry level, look for registry key path: ComputerHKEY_CURRENT_USERSOFTWAREPoliciesMicrosoftOffice16.0excelsecurityXLM is disabled by default in the September fork, version 16.0.14527.20000+. It’s also disabled in:Current Channel builds 2110 or greater (first released in October)Monthly Enterprise Channel builds 2110 or greater (first released in December)Semi-annual Enterprise Channel (Preview) builds 2201 or greater (Microsoft created the policy in January 2022, but it first shipped in March 2022)Semi-annual Enterprise Channel builds 2201 or greater (will ship July 2022)Review what channel you are deploying and be aware of when these blocking rules will be deployed. Enable tamper protectionEnable tamper protection features to prevent attackers from disabling security services to then bypass detections. You should also enable attack surface reduction (ASR) rules as they can limit lateral movement. For ASR rules, review the following:Block process creations originating from PsExec and WMI commands. This may need testing and be problematic for you with remote management tools.Block executable files from running unless they meet a prevalence, age, or trusted list criterion.Block credential stealing from the Windows Local Security Authority Subsystem Service (lsass.exe).Block all Office applications from creating child processes.Block Office communication application from creating child processes.Block Office applications from creating executable content.Block Office applications from injecting code into other processes.Microsoft has provided a reprieve to determine the impact of blocking Office macros on your organization. Use the time to plan better for blocking macros by default. Related content opinion Sleuthcon: Cybercrime emerges in Morocco and law enforcement gets creative At this year’s cybercrime-oriented conference Sleuthcon, Morocco emerged as a locus of cybercrime, while UK and US law enforcement highlighted how creative they've become in shaming and disrupting criminal groups. By Cynthia Brumfield Jun 10, 2024 8 mins Advanced Persistent Threats Hacker Groups Government feature AI system poisoning is a growing threat — is your security regime ready? NIST, security leaders warn that hackers will launch more poisoning attacks as artificial intelligence use increases, testing the strength of today’s security programs By Mary K. Pratt Jun 10, 2024 9 mins Cyberattacks Threat and Vulnerability Management Security Practices news Spam blocklist SORBS shuts down after over two decades The service was unsustainable but those in the email deliverability industry expressed mixed feelings about the closure. By Evan Schuman Jun 07, 2024 4 mins Email Security Antispam news analysis New RansomHub ransomware gang has ties to older Knight group File encryption malware used by RansomHub appears to be a modified variant of the Knight ransomware, also known as Cyclops. By Lucian Constantin Jun 07, 2024 4 mins Hacker Groups Ransomware Hacking PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe