5/12/2020 Malicious macros are still causing problems! - NCSC.GOV.

UK

BLOG P OS T

Malicious macros are still causing problems!

Andrew A explains the updated guidance for Microsoft Office macros

Andrew A

In 2016, we published guidance describing how administrators can help protect

their systems from malicious Microsoft Office macros. The message was a simple
one; the only truly effective way of preventing such infections was to disable
macros.

Admittedly, that wasn’t the most helpful advice, as many business processes rely
on macro-riddled Excel files that were written years ago.

https://www.ncsc.gov.uk/blog-post/malicious-macros-are-still-causing-problems 1/3
5/12/2020 Malicious macros are still causing problems! - NCSC.GOV.UK

Macro-based malware campaigns are still working

Last year Cofense reported that Office macros were involved in nearly half of
detected malware deliveries. It’s something we’ve also seen in high-profile
phishing campaigns using malware, such as Trickbot and Emotet; both of which
have played a part in the recent Ruyk ransomware campaign. As macro-based
malware campaigns are still working, our current mitigations need revisiting.

So what's changed?

The previous advice still stands: the only fully effective mitigation is to disable
macros.

However, it’s going to take some organisations a while to achieve this. With that in
mind, we’ve updated our Macro Security for Microsoft Office Guidance to include
some newer security features that are included in recent versions of Office. These
features mitigate some classes of malicious macros whilst allowing most of your
current ones to still run. It’s not a magic bullet, but it makes things safer while you
replace your macro-enabled documents and workflows with something else.

The updates to the guidance include:

hardening the sandbox around Office apps on macOS and Windows to

disable the more dangerous macro capabilities that are commonly used by
malware

using an AMSI-compatible antivirus product on Windows that scan for

malicious activity in macros as they run

identifying alternative safer approaches to Office macros, such as Microsoft

Flow

realising that not everyone manages their Windows devices using Group
Policy, we’ve included some recommended settings that can be deployed
using the new Office Cloud Policy Service that’s included with Office 365

https://www.ncsc.gov.uk/blog-post/malicious-macros-are-still-causing-problems 2/3
5/12/2020 Malicious macros are still causing problems! - NCSC.GOV.UK

Malicious macros on macOS

You’ll have noticed I mentioned macOS. Using a default configuration, Office

macros on macOS can be as dangerous as those on Windows. We’ve therefore
expanded the guidance to cover both platforms.

The Office Macro is unwell...

We can't quite claim that the Office macro is dead (yet), but I’m pleased to say
that this is the case when it comes to the NCSC’s own systems.

If you’re not doing so already, now's the time to find alternatives to macros.
Identify the macros that your business currently relies on, find alternatives to
them, and then turn them off. You should also make sure you’re running the latest
versions of Office, and enable the features recommended in the updated
guidance to make it harder for attackers to use malicious macros against you.

We’d love to hear your stories about what you’re doing in your organisation to
reduce your reliance on macros. Please get in touch with us if you’ve got
experiences to share, or if you have feedback about the guidance itself.

Andrew A
Cloud Security Research Lead - NCSC

WRIT T EN BY PUBLISHED

Andrew A 7 October 2019

https://www.ncsc.gov.uk/blog-post/malicious-macros-are-still-causing-problems 3/3