Microsoft announced in February that Office would automatically block VBA macros in documents downloaded from the Internet. Soon after this new feature went live for all customers last month, Microsoft warned that this change was being rolled back temporarily. This again leaves Windows and Microsoft Office users exposed to attacks launched via Office documents with embedded malicious macros.
Some users have reported they cannot re-enable macros after they’re automatically blocked because they can’t find the Unblock button to remove the Mark-of-the-Web from downloaded files. Some administrators also feel that the decision was a problem for end-users who would find it burdensome to unblock each downloaded Office document multiple times each day.
“This is a temporary change, and we are fully committed to making the default change for all users,” Angela Robertson, Principal GPM for Identity and Security said.
Macros in Office documents continues to be a mainstay in modern threat group arsenals. Allowing macros in downloaded Office documents allows for a wide range of possible attacks against organizations and users. While Microsoft has rolled back the automatic blocking of macro enabled documents, Windows system administrators still can disable macros at the Group Policy level. BleepingComputer has released a guide to assist administrators that wish to continue to block macros here: https://www.bleepingcomputer.com/news/microsoft/how-to-auto-block-macros-in-microsoft-office-docs-from-the-internet/