This is not to say they haven’t added in a few features here and there over the last 20 years. They added in the security center, made it possible to only run signed macros, added an option to create trust zones, and even an option to block all macros when running in a domain environment. The issue is that most of these options are opt-in instead of being default. Even in a domain environment some of the nastier pivots in Office must be disabled or they leave an environment open to attack (Excel 4.0 Macros).

Because of this, attackers have used this as a way to insert all types of malware from backdoors to ransomware. The pivots often involve inserting code (such as hta) that forces the office program in question to call another service outside of office to read and execute the code (typically a base64 encoded PowerShell command). Once this happens the infection is on its way. If they attackers are clever, they can stage their attack well enough to get around many modern antimalware options.

In terms of attack path, that makes Office the pivotal point. Microsoft has finally acknowledged this and is now adding in an appropriate remediation. As we mentioned earlier corporate, or domain organizations have had an option to establish trust zones. Basically, they can use markers or tags to determine where a macro enabled file came from. If it comes from an untrusted zone, like the internet, then the macro was disabled. Microsoft’s new option is an improvement on this feature.

In the past, disabling a macro did not mean that a user could not execute it. It often meant that they received a warning banner saying there was a macro and people should exercise caution before allowing it to run. In far too many cases the end user would just click on enable and the malicious file would start. The feature also relied on the creation of trust zones, so it was not an automatic feature.

Now the trust zones and tags are going to be automated. If a macro comes from the web, it will have a Zone Identifier tag called MOTW (Mark of the Web). These MOTW tags have been in use for a while so there is nothing to deploy there. The tricky part is identifying truly internal documents with macros. It seems that tags are only present on NTFS volumes. This leaves out ReFS, external drives that are formatted as exFAT, and many other common file systems.
The change will not make macros impossible to run from an untrusted location, it just makes it more complicated to do so. In the past the banner was clickable and would allow you to easily enable the macro. Now the banner takes you to a page that tells you all about the dangers of macros. To re-enable a macro from a not trusted location, you must right click the file, select properties, and then check “unblock”.

The new feature is expected to start rolling out in June so that does give attackers some time to figure out how to remove the MOTW tag or start singing their macros to get around this new security feature. Macros make things easy for everyone. Despite this new default security setting, we have no doubt that macro delivered malware will continue to be a big thing.