Microsoft Office Will Now Block VBA Macros by Default

Posted on February 8, 2022 by Laurent Giret in Office 365, Office with 20 Comments

Microsoft is making its Office apps more secure by blocking Visual Basic for Applications (VBA) macros obtained from the Internet by default. Office users will no longer be able to enable these macros with the click of a button, and the apps will soon display a message bar with a security warning and a support page instead.

To enable these macros, Office users will need to save the file on a local hard drive, network drive, or cloud storage service like OneDrive, and then unblock the file manually. Microsoft already has a support page with detailed instructions on how to proceed, and this same page will be available in the message bar that will show up when Office users open files with VBAs macros coming from the Internet.

Office message bar with security warning about blocked VBA macros

This new default behavior regarding Office macros will apply to Word, Excel, PowerPoint, Visio, and Access. As macros obtained from the Internet have been a notorious source of malware, Microsoft believes that this change should better protect consumers and enterprise customers using Office.

“For years Microsoft Office has shipped powerful automation capabilities called active content, the most common kind are macros. While we provided a notification bar to warn users about these macros, users could still decide to enable the macros by clicking a button. Bad actors send macros in Office files to end-users who unknowingly enable them, malicious payloads are delivered, and the impact can be severe including malware, compromised identity, data loss, and remote access,” explained Microsoft’s Kellie Eickmeyer.

Microsoft plans to start blocking VBA macros obtained from the Internet in Office by default in early April 2022, and the new default behavior will roll out first to Microsoft 365 subscribers in the Current Channel (Preview). The change will also make its way to Office LTSC, Office 2021, Office 2019, Office 2016, and Office 2013, though Microsoft has yet to share an ETA.

Tagged with ,

Join the discussion!

BECOME A THURROTT MEMBER:

Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Register
Comments (20)

20 responses to “Microsoft Office Will Now Block VBA Macros by Default”

  1. jordan_meyer

    Nice write up. Congrats on the new job.


    Couple of typos:

    2nd pp is missing the bolded 'd'

    "To enable these macros, Office users will need to save the file on a local hard drive, network drive..."

    3rd pp has office vision instead of visio

  2. ekim

    "will apply to Word, Excel, PowerPoint, Visio, and Access" What about Outlook?

  3. hrlngrv

    Serious question: will Office disable VBA macros in Office documents with digitally signed VBA modules when the digital signature is on a user's (or organization's) list of approved digital signatures?

  4. hrlngrv

    Semiserious (75% serious/25% tongue-in-cheek) question: have any of the rest of you ever seem any VBA macros in a PowerPoint file? I haven't. If I ever had, I would have assumed immediately it was malware.

  5. red.radar

    This looks like it will be disruptive. The number of macro-enabled files shared within a corporate intranet are rather large.


    That being said, I understand why they want to change. The next step is to sign these macro enabled files with a certificate to allow the macro to run. This way a colleague who shares a file with me from the same Corporate licensed M365 account can automatically know it is safe. But any external file with a different certificate or signature or lack there of gets automatically blocked.


    It is as if the Office document container needs to support default encryption and signature signing. That would solve this problem but maintain the functionality.



    • proftheory

      Even from a corporate address I would still recommend Save, Scan, then Open.

      As I've been saying for years "You're more apt to get a virus from an email of someone you "know" than a stranger." Because people will trust it with a From: address with a familiar name without checking if the email address is correct for that person or it may be requesting personal info and the sender's computer has been compromised.

    • lvthunder

      The next step is to get these macros converted to the Javascript API's that are hosted in the cloud instead of in the document.

    • bluvg

      Default encryption would make them not AV-scanable, perhaps solving one problem but creating another (assuming you'd still accept files from outside the org). You can default encryption with MIP today, but that is not enabled lightly....

    • igor engelen

      It seems admins can still specify trusted locations for which macros are not blocked so seems like an improvement to me.

    • spacein_vader

      It'll only be Web downloaded files and I suspect at a corporate level there's probably a switch to disable it if need be.

    • fishnet37222

      This will only show up on those files downloaded from the internet.

      • hrlngrv

        After all, everyone knows a file downloaded from the Internet and saved as a local file can't possibly be dangerous. [Do I need a /s tag?]


        I fail to see the benefit of disabling macros in a file opened from, say, wtf.urs0scr3w3d.ru but not disabling them when the same file is saved locally.

      • red.radar

        I know that is what the Press release says, but practically every time i download a file off my intranet, or open it from a trusted internal sender in email. I see the same this has macros and is from internet warning.


        It makes me question if they have the capability to distinguish External vs Internal network distribution. They may be assuming that people are using OneDrive and teams. Which is not always valid. Lots of stuff gets distributed as copies via Email or hosted on internal websites.


        I still think its a good change, just saying there will be some disruption and behavior modification require.

      • alissa914

        Somehow, I bet "mark of the web" will extend to network drives and to add new folder locations will require people to research where the setting is ... kind of like how it is currently.


        I get why they're doing it, but "mark of the web" was always something that plagued me running on a VM hitting my main PC drive

  6. midpacific

    Seriously. Please help me here. How is this a new thing? I have never been able to send anyone an Excel file any expect them to be able to run macros. I wrote a neat Wordle macro in Excel VBA and sent it to someone a few weeks ago. Could they run it? No! What is new here?