Microsoft to make enabling 'untrusted' Office macros tougher in the name of security

Starting in early April, Microsoft will be changing the default behavior of VBA macros downloaded from the internet on Windows devices.
Written by Mary Jo Foley, Senior Contributing Editor
Credit: Microsoft

Starting in early April, Microsoft plans to make it tougher to enable VBA macros that are downloaded from the internet in several of its Office apps. The effect, the company hopes, will be to eliminate a popular way for malware to perpetuate.

Microsoft plans to block by default VBA macros obtained from the internet in Office on devices running Windows. This will impact Access, Excel, PowerPoint, Visio, and Word, according to a February 7 blog post from the Office product group. The change will begin rolling out in the Current Channel (preview) of Office on Windows and will prevent users from enabling these kinds of macros with a single click.

Over time, Microsoft will move beyond the Current Channel with this change and apply it to other Office distribution channels, like the Monthly Enterprise and Semi-Annual Enterprise Channels. This change also will be applied to the Long Term Servicing Channel version of Office, including Office LTSC, Office 2021, Office 2019, Office 2016, and Office 2013.

UK cybersecurity expert (and former Microsoftie) Kevin Beaumont tweeted that "this is potentially a game changer for the cybersecurity industry, and, more importantly customers," as macros account for about 25 percent of all ransomware entry -- a figure he called "deeply conservative." 

A message bar noting that a particular downloaded VBA is not trusted will note: "Security Risk: Microsoft has blocked macros from running because the source of this file is untrusted" next to a Learn More button. The Learn More button will take users to an article about the security risk of bad actors using macros, ways to prevent phishing and malware, and instructions for enabling these macros by saving the file and removing the Mark of the Web (MOTW). The MOTW is added to files by Windows when they're from an untrusted location (internet or Restricted Zone).

This article from Microsoft has more information for IT pros/admins about the coming change in macro behavior.

Editorial standards