Microsoft's reversal of its blocking by default on Excel macros creates an opportunity to improve policies and processes around Excel and Office macro use. Credit: Microsoft Microsoft has pulled back on its decision to block downloaded Excel files containing macros by default. They have said they will push this change out again in the future. If you were caught flat-footed by this decision and suddenly couldn’t figure out how to unblock your Excel files that you relied upon, you need to act before Microsoft rolls this out again. Evaluate now why you are allowing such risky behavior and how you can better protect your firm.While Microsoft pulled back from this decision, I urge you to look for additional ways to protect users from phishing lures and attack vectors that include malicious Office files. Because many of these attacks come via email, but not necessarily as email attachments, evaluate whether your phishing protection and user education are appropriate. I’ve seen many a phishing lure come in via web links, pretend cloud services, and other techniques that bypass traditional antivirus and file filtering.Educate users on file sharing, suspicious file processesEducate your users on how your cloud file-sharing services work and which ones are normal processes for your firm. Empower them to not open files and have a process for them to request review and evaluation of suspected files. Standardizing on a browser process that screens files proactively will ensure that many such phishing lures are blocked from your users. Limit access to Excel macros and Office applicationsDetermine who in your office truly needs access to Excel macros. Set up Group Policy restrictions to limit access only to those users and organizational units that need them. Stratify your firm and user roles as to who needs macros and who does not. Chances are that not everyone in your firm needs – or uses – Excel or even macros. The Office Deployment Tool (ODT) allows you to customize who in your firm has access to which applications in the Office suite. Not everyone in your organization needs access to every Office application. Use the tool to customize your deployment. Structure your organizational units and deployment processes with a limitation mindset: Only deploy software to those users that need the ability to use a particular platform. Next set the policies for macros for the applications that you wish to limit. Enable “Protected” to block running macros in files obtained from the internet. Download the ADMX files from Microsoft and install the version of templates depending on whether you have deployed 32 bit or 64 bit versions of Office.Each Office application has a specific Group Policy setting. You need to look under the following locations: User Configuration then under Policies then under Administrative Templates: For Access look under Microsoft Access 2016Application SettingsSecurityTrust Center.For Excel look under Microsoft Excel 2016Excel OptionsSecurityTrust Center.For PowerPoint look under Microsoft PowerPoint 2016PowerPoint OptionsSecurityTrust Center.For Visio Microsoft Visio 2016Visio OptionsSecurityTrust Center.For Word Microsoft Word 2016Word OptionsSecurityTrust Center.To determine what files these changes will impact, use the Readiness Toolkit (download version 1.2.22161). From a command prompt go to the folder where you installed the Readiness Toolkit and run the ReadinessReportCreator.exe command with the blockinternetscan option. For example: ReadinessReportCreator.exe -blockinternetscan -p c:officefiles -r -output server01finance -silentReview the need and settings for older Excel macrosMicrosoft has provided a setting to block Excel 4.0 (XLM) macros by default as the first step in making the process more secure for enterprises. As noted in January, you can manage the setting. You can set a policy to re-enable XLM macros. However, you should question why you need an older macro process that has since been replaced with newer technologies. Are there files that still depend on 4.0 versions?Use Group Policy, Office cloud policy service (OCPS), or other endpoint management tools to control the use of XLM macros. Beginning with Excel build 16.0.14427.10000, XLM 4.0 macros are now disabled. Use the Group Policy setting located by following this selection sequence “Group Policy Path: User configuration”“Administrative templates”“Microsoft Excel 2016”“Excel Options”“Security”“Trust Center”To control it at the registry level, look for registry key path: ComputerHKEY_CURRENT_USERSOFTWAREPoliciesMicrosoftOffice16.0excelsecurityXLM is disabled by default in the September fork, version 16.0.14527.20000+. It’s also disabled in:Current Channel builds 2110 or greater (first released in October)Monthly Enterprise Channel builds 2110 or greater (first released in December)Semi-annual Enterprise Channel (Preview) builds 2201 or greater (Microsoft created the policy in January 2022, but it first shipped in March 2022)Semi-annual Enterprise Channel builds 2201 or greater (will ship July 2022)Review what channel you are deploying and be aware of when these blocking rules will be deployed. Enable tamper protectionEnable tamper protection features to prevent attackers from disabling security services to then bypass detections. You should also enable attack surface reduction (ASR) rules as they can limit lateral movement. For ASR rules, review the following:Block process creations originating from PsExec and WMI commands. This may need testing and be problematic for you with remote management tools.Block executable files from running unless they meet a prevalence, age, or trusted list criterion.Block credential stealing from the Windows Local Security Authority Subsystem Service (lsass.exe).Block all Office applications from creating child processes.Block Office communication application from creating child processes.Block Office applications from creating executable content.Block Office applications from injecting code into other processes.Microsoft has provided a reprieve to determine the impact of blocking Office macros on your organization. Use the time to plan better for blocking macros by default. Related content news analysis Global stability issues alter cyber threat landscape, ESET reports With conflict on the rise, regional APT groups are increasing activity, altering focus, and putting specific industries in their crosshairs. Here’s what CISOs should know. By Evan Schuman May 20, 2024 4 mins Advanced Persistent Threats Cyberattacks Threat and Vulnerability Management feature The inside story of Cyber Command’s creation Cartoons, Starbucks cards, and Hollywood storyboards: The ‘Four Horsemen of Cyber’ — CISA’s Jen Easterly, Lt. Gen. S.L. Davis, retired US Navy Vice Admiral T.J. White, and former NSA chief Paul Nakasone — revealed at RSA By Cynthia Brumfield May 20, 2024 8 mins Aerospace and Defense Industry CSO and CISO Military news analysis SEC rule for finance firms boosts disclosure requirements Amendments to Regulation S-P requires broker-dealers, investment companies, registered investment advisers, and transfer agents to disclose incidents to customers. By Evan Schuman May 17, 2024 5 mins Data Breach Financial Services Industry Data Privacy feature DDoS attacks: Definition, examples, and techniques Distributed denial of service (DDoS) attacks have been part of the criminal toolbox for over twenty years, and they’re only growing more prevalent and stronger. By Josh Fruhlinger May 17, 2024 10 mins DDoS Cyberattacks PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe