Microsoft's reversal of its blocking by default on Excel macros creates an opportunity to improve policies and processes around Excel and Office macro use. Credit: Microsoft Microsoft has pulled back on its decision to block downloaded Excel files containing macros by default. They have said they will push this change out again in the future. If you were caught flat-footed by this decision and suddenly couldn’t figure out how to unblock your Excel files that you relied upon, you need to act before Microsoft rolls this out again. Evaluate now why you are allowing such risky behavior and how you can better protect your firm.While Microsoft pulled back from this decision, I urge you to look for additional ways to protect users from phishing lures and attack vectors that include malicious Office files. Because many of these attacks come via email, but not necessarily as email attachments, evaluate whether your phishing protection and user education are appropriate. I’ve seen many a phishing lure come in via web links, pretend cloud services, and other techniques that bypass traditional antivirus and file filtering.Educate users on file sharing, suspicious file processesEducate your users on how your cloud file-sharing services work and which ones are normal processes for your firm. Empower them to not open files and have a process for them to request review and evaluation of suspected files. Standardizing on a browser process that screens files proactively will ensure that many such phishing lures are blocked from your users. Limit access to Excel macros and Office applicationsDetermine who in your office truly needs access to Excel macros. Set up Group Policy restrictions to limit access only to those users and organizational units that need them. Stratify your firm and user roles as to who needs macros and who does not. Chances are that not everyone in your firm needs – or uses – Excel or even macros. The Office Deployment Tool (ODT) allows you to customize who in your firm has access to which applications in the Office suite. Not everyone in your organization needs access to every Office application. Use the tool to customize your deployment. Structure your organizational units and deployment processes with a limitation mindset: Only deploy software to those users that need the ability to use a particular platform. Next set the policies for macros for the applications that you wish to limit. Enable “Protected” to block running macros in files obtained from the internet. Download the ADMX files from Microsoft and install the version of templates depending on whether you have deployed 32 bit or 64 bit versions of Office.Each Office application has a specific Group Policy setting. You need to look under the following locations: User Configuration then under Policies then under Administrative Templates: For Access look under Microsoft Access 2016Application SettingsSecurityTrust Center.For Excel look under Microsoft Excel 2016Excel OptionsSecurityTrust Center.For PowerPoint look under Microsoft PowerPoint 2016PowerPoint OptionsSecurityTrust Center.For Visio Microsoft Visio 2016Visio OptionsSecurityTrust Center.For Word Microsoft Word 2016Word OptionsSecurityTrust Center.To determine what files these changes will impact, use the Readiness Toolkit (download version 1.2.22161). From a command prompt go to the folder where you installed the Readiness Toolkit and run the ReadinessReportCreator.exe command with the blockinternetscan option. For example: ReadinessReportCreator.exe -blockinternetscan -p c:officefiles -r -output server01finance -silentReview the need and settings for older Excel macrosMicrosoft has provided a setting to block Excel 4.0 (XLM) macros by default as the first step in making the process more secure for enterprises. As noted in January, you can manage the setting. You can set a policy to re-enable XLM macros. However, you should question why you need an older macro process that has since been replaced with newer technologies. Are there files that still depend on 4.0 versions?Use Group Policy, Office cloud policy service (OCPS), or other endpoint management tools to control the use of XLM macros. Beginning with Excel build 16.0.14427.10000, XLM 4.0 macros are now disabled. Use the Group Policy setting located by following this selection sequence “Group Policy Path: User configuration”“Administrative templates”“Microsoft Excel 2016”“Excel Options”“Security”“Trust Center”To control it at the registry level, look for registry key path: ComputerHKEY_CURRENT_USERSOFTWAREPoliciesMicrosoftOffice16.0excelsecurityXLM is disabled by default in the September fork, version 16.0.14527.20000+. It’s also disabled in:Current Channel builds 2110 or greater (first released in October)Monthly Enterprise Channel builds 2110 or greater (first released in December)Semi-annual Enterprise Channel (Preview) builds 2201 or greater (Microsoft created the policy in January 2022, but it first shipped in March 2022)Semi-annual Enterprise Channel builds 2201 or greater (will ship July 2022)Review what channel you are deploying and be aware of when these blocking rules will be deployed. Enable tamper protectionEnable tamper protection features to prevent attackers from disabling security services to then bypass detections. You should also enable attack surface reduction (ASR) rules as they can limit lateral movement. For ASR rules, review the following:Block process creations originating from PsExec and WMI commands. This may need testing and be problematic for you with remote management tools.Block executable files from running unless they meet a prevalence, age, or trusted list criterion.Block credential stealing from the Windows Local Security Authority Subsystem Service (lsass.exe).Block all Office applications from creating child processes.Block Office communication application from creating child processes.Block Office applications from creating executable content.Block Office applications from injecting code into other processes.Microsoft has provided a reprieve to determine the impact of blocking Office macros on your organization. Use the time to plan better for blocking macros by default. Related content news Bug in EmbedAI can allow poisoned data to sneak into your LLMs The vulnerability can be used to deceive a user into inadvertently uploading and integrating incorrect data into the application’s language model. By Shweta Sharma May 31, 2024 3 mins Generative AI Vulnerabilities news OpenAI accuses Russia, China, Iran, and Israel of misusing its GenAI tools for covert Ops OpenAI’s generative AI tools were used to create and post propaganda content on various geo-political and socio-economic issues across social media platforms, the company said. By Gyana Swain May 31, 2024 4 mins Generative AI news Okta alerts customers against new credential-stuffing attacks Hackers are using credential-stuffing to attack endpoints that are used to support the cross-origin authentication feature. By Shweta Sharma May 31, 2024 4 mins Identity and Access Management Vulnerabilities feature 3 reasons users can’t stop making security mistakes — unless you address them Understanding what’s behind employee security mistakes can help CISOs make meaningful adjustments to their security awareness training strategies. By Ariella Brown May 31, 2024 5 mins Data Breach Risk Management PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe