In a move that baffled much of the security community, Microsoft told Office 365 administrators on Thursday that it would “reverse” a default block of VBA macros downloaded from the Internet.
“Based on feedback, we are reverting this change to the current channel. We appreciate the feedback we have received so far and are working to make improvements to this experience. We will provide another update when we are ready to rebroadcast on the Current Channel. Thank you,” a message was sent to the directors of the company in Redmond, Washington. In a separate update to the original announcement, Microsoft said it was more of a break than a delay. “This is a temporary change, and we are fully engaged to make the default change for all users.”
The feature announced in February received immediate praise in the security community. Confusion around the original announcement that the feature would be put on hold — particularly over if and what would eventually be released — sparked similar concern.
“The general feeling is, what can this be good for?” asked Sherrod DeGrippo, vice president of research and threat detection at Proofpoint. “Everyone really celebrated, or at least was positive about the decision. The decision to reverse course is, frankly, puzzling.”
Microsoft introduced VBA macros in 1993, with the first macro virus, Concept, appearing soon after in 1995. Since then, one of the most common and consistent security tips has been to ask users or administrators to disable macros.
Still, macros provide a lot of functionality and can be hard to give up completely. Microsoft’s announcement in February would have allowed administrators to share the difference; Office 365 would flag documents downloaded from the internet and, by default, display a warning page instead of running a macro in those documents.
“By all accounts, email continues to be the dominant vector exploited by adversaries for initial access, resulting in a wide variety of damaging cyberattacks. Disabling macros by default would have been highly disruptive to adversaries, and a relatively minor disruption to IT pros, who have the flexibility to re-enable macros and accept the associated risks,” said Brian Donohue, Principal Security Specialist at Red Canary, via email.
Microsoft did not respond directly to questions submitted by SC Media regarding the decision to delay its February decision, but pointed to the updated announcement.
The unfortunate thing, DeGrippo said, is that even the simple announcement that VBA macros would be disabled by default may have forced adversaries to change tactics. Even the sector of a change had an effect.
“Emotet has been using malicious macro documents for a billion years and just recently we’ve seen threat actors change tack and start using more containers, .LNK files, archive files, and everything. that kind of stuff,” she said. “It’s really, really easy to assume that this was a response to Microsoft’s original decision. So not only was people’s earlier decision to disable macros celebrated and seen as positive, but it actually really had behavioral impact.