Microsoft Office Macros
Macro Security for Microsoft Office
Why macros are a threat, and the approaches you can take to protect your systems.
This guidance describes how administrators can help protect their systems from malicious Microsoft Office macros. It outlines why macros are a threat, and the approaches you can take to protect your devices.
What are macros, and why are they a problem?
A macro is a small program that is often written to automate repetitive tasks in Microsoft Office applications. Macros have been historically used for a variety of reasons - from an individual automating part of their job, to organizations building entire processes and data flows. Macros are written in Visual Basic for Applications (VBA) and are saved as part of the Office file.
Macros are often created for legitimate reasons, but they can also be written by attackers to gain access to or harm a system, or to bypass other security controls such as application allow listing. In fact, exploitation from malicious macros is one of the top ways that organizations around the world are compromised today. Malicious macros can do almost anything that other malware can do to your system, including emulating ransomware, stealing data, and emailing itself out to your contacts.
Malicious macros are not new; the underlying attack has remained unchanged since the 1990s, and they still form the majority of attacks targeting Microsoft Office. However, obfuscation and dynamic content loading has made malicious documents more difficult for traditional antivirus to detect.
Macros are often part of phishing or spear phishing campaigns. In this, an attacker sends emails and attempts to convince the user to open the attached file and run the malicious macro. Techniques (such as these seen by Microsoft) successfully use social engineering to trick well-intentioned users into enabling malicious Office macros. The BCSF phishing guidance discusses how you can defend your organization against phishing attacks.
Protecting your systems from malicious macros
The only effective way to protect your systems against malicious macros is to disable macros across Office apps, and ensure users cannot re-enable them.
Many organizations currently rely on Office macros for day-to-day business functions, including where they’re used to interact with external partners. Organizations that are still using macros should develop a strategy for replacing them - we’ve included a few tips below for how you might do this.
If you can’t yet turn macros off, you will need to find the combination of mitigations listed below that are most effective for you, as different organizations use macros in different ways. That said, for all installations of Microsoft Office you should:
disable Office macros except in the specific apps where they are required
only enable macros for staff that rely on them every day
use an anti-malware product that integrates with the Anti Malware Scan Interface (AMSI) on Windows 10
use the latest version of Office (ideally the Monthly Channel) on the latest version of the platform
Tip 1. Disable macros where they’re not used
If your organization does not use macros, they should be turned off entirely. If you cannot yet turn macros off, you should work on replacing the macros that your business relies on, so that you can turn them off entirely in the future. Larger organizations should consider only enabling macros for the specific groups or teams that need them. This allows training to be better-focused and appropriately targeted for these smaller sets of users, to help them understand social engineering techniques and agree sensible protective measures.
The cloud-based Security Policy Advisor can help you identify groups that can have macros disabled with minimal impact, and optionally integrate with Office 365 ATP to identify the top users of macros, and the top users who are targeted by documents with malicious macros. The service relies on telemetry sent to Microsoft from your devices. You will need to be comfortable with at least required service data being collected by Microsoft and ensure that those data flows are enabled. If diagnostic telemetry is enabled, we recommend disabling the additional optional diagnostic data.
You should note that:
Recent versions of Microsoft Office have macros enabled by default, but rely on the user to click a button before any macros can run. It is relatively simple to trick the user into clicking this button, so you cannot rely on it as a mitigation.
Macros on Windows are configured per-application. If you use macros in some Office applications and not others, you should disable them in the applications where they are not used. For example, if your organization only uses macros in Excel, you can disable them in Word, PowerPoint, Visio, Access and Publisher. Note that OneNote does not support macros.
Macros on macOS are configured for the entire Office suite so you should aim to entirely disable them.
Tip 2. Reduce your dependency on macros
If you cannot turn off macros because you currently use them, you should work to reduce your dependency on them. You should prioritize replacing macros that are incompatible with the attack surface reduction (ASR) rules listed below. Recent alternatives to office automation that can replace macros include:
using off-the-shelf Office Add-ins to add new functionality to Office applications
automating data flows using modern SaaS alternatives such as Forms, Flow and PowerApps
building custom Web Applications that support business processes
building on off-the-shelf serverless cloud components
Tip 3. Disable high-risk macro capabilities
Exploit Guard attack surface reduction (ASR) rules on Windows 10 can be configured to disable some of the abilities of malicious macros. Exploit Guard can be initially run in audit mode to allow you to confirm that the macros that your organization uses will continue to work properly. ASR rules also affect the behavior of other Office features (such as Add-ins), so will require testing prior to broad deployment in organizations that rely on third party Office plugins.
Office on macOS uses the platform’s sandbox to limit the damage caused by a malicious document. We recommend strengthening the default configuration of the Office sandbox to further reduce the impact of running malicious macros.
Tip 4. Use an antimalware product to detect malicious behavior in macros
You can reduce the chance of a malicious macro reaching a user if you use an anti-malware product that includes behavioral analysis for macro-enabled Office documents. It could be a part of your email service, or a feature of the anti-malware software on the user’s device.
Organizations using an antivirus that uses Microsoft’s AMSI interface (as recommended in the BCSF’s EUD Guidance for Windows 10 )) can detect malicious macros even if the malicious intent is cleverly disguised. You should configure the feature to scan all documents, as the default is to only scan those that Office has identified as having come from the Internet.
We recommend that devices connected to the Internet are configured in line with the BCSF’s End User Devices Security Guidance. While application allow listing is unlikely to prevent malicious macros themselves from running, a configuration such as the one suggested in the guidance for Windows 10) and macOS is often effective in blocking malware that is downloaded/extracted from the macro.
Tip 5. Disable macros unless they are in trusted files
Organizations that have a code signing service can choose to configure Office on Windows to only allow digitally signed macros to run. This is lower risk than allowing an Office application to open any macro, as malicious macros are not usually signed by their authors.
Office on Windows can also be configured to only allow macros if the file is loaded from a trusted location, such as a specific folder, file share or website. Your organization will need to define that list of trusted locations. We recommend that macros are only permitted to run from a trusted location, such as a network share that only trusted administrators have write access to.
The antivirus integration described above does not apply to macros in trusted files by default, as many organizations rely on macros that exhibit similar behaviors to malware.
Tip 6. Block macros from the Internet
Office 2016 on Windows introduced the ability for an organization to block macros in files received from the Internet. This makes it more difficult to trick the user into bypassing the warning. Macros are blocked from the Internet by default on Windows 10 in S mode. This feature is not available on macOS.
Note that it is usually not practical to block the file types that can contain macros as they can be found in commonly used legacy formats (such as .RTF .DOC and .DOT), as well as the newer formats that explicitly mark themselves as containing a macro (such as .DOCM and .DOTM).
Configuration options for Windows devices managed by the cloud
Most of the mitigation options above can be configured using the Office Cloud Policy Service (OCPS) for users that have signed into their Office applications using their work identity. This includes devices that are joined to Azure Active Directory. Some settings apply to Windows rather than Office, and can be configured via MDM.
Some settings can be applied separately for each Office application that you have installed. Organizations using OCPS can apply Office settings to different groups of users, allowing macros to be enabled for a specific subset of the people in your organization.
The service implements a subset of the user-based policies that are available in group policy. Microsoft publishes documentation explaining the group policy settings available for Office 365 ProPlus, Office 2016, and Office 2019.
Configuration to disable the Office macro engine
You can set a policy to disable macros across all Office applications:
OCPS policy | Application | Configuration |
|---|---|---|
Disable VBA for Office applications | Office | True |
If you choose to leave macros enabled for some applications, you should set the policies to disable them for the other Office applications. You should also configure the recommended security mitigations in the following section (this is not necessary if you disable macros for all applications using the configuration below).
OCPS policy | Application | Configuration |
|---|---|---|
For each of Access, Excel, PowerPoint, Publisher, Project, Visio and Word: | [Application name] | Disable all without notification |
Security settings for macros | Outlook | Never warn, disable all |
Configuration to only allow digitally signed macros
You will need to set a group policy for each Office application that you want to configure. We suggest also configuring the recommended security mitigations in the following section, even if you only allow digitally signed macros across the Office suite.
OCPS policy | Application | Configuration |
|---|---|---|
For each of Access, Excel, PowerPoint, Publisher, Project, Visio and Word: | [Application name] | Disable all without notification |
Security settings for macros | Outlook | Warn for signed, disable unsigned |
Configuration to enable recommended macro security mitigations
These settings are recommended for all Office deployments that allow any use of macros.
OCPS policy | Application | Configuration |
|---|---|---|
Macro runtime scan scope | Office | Enable for all documents |
For each of Access, Excel, PowerPoint, Visio and Word: | [Application Name] | True |
MDM Device Configuration Profile | Configuration |
|---|---|
Endpoint protection – Windows Defender Exploit Guard – Attack Surface Reduction Attack Surface Reduction Office apps launching child processes | Block |
Endpoint protection – Windows Defender Exploit Guard – Attack Surface Reduction Office apps/macros creating executable content | Block |
Endpoint protection – Windows Defender Exploit Guard – Attack Surface Reduction Office apps injecting into other processes (no exceptions) | Block |
Endpoint protection – Windows Defender Exploit Guard – Attack Surface Reduction Win32 imports from Office macro code | Block |
Endpoint protection – Windows Defender Exploit Guard – Attack Surface Reduction Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions) | Block |
Configuration to limit service data sent to Microsoft
If your organization is using the Security Policy Advisor, you will need to configure Office to allow just the required service data to be collected:
OCPS policy | Application | Configuration |
|---|---|---|
Allow the use of connected experiences in Office | Office | Enabled |
You can optionally also prevent diagnostic data from being sent to Microsoft:
OCPS policy | Application | Configuration |
|---|---|---|
Configure the level of diagnostic data sent by Office to Microsoft | Office | Neither |
Configuration options for Windows devices managed by Group Policy
Most of the mitigation options above can be configured using Group Policy across an enterprise, or Local Group Policy on an individual machine.
Some settings will need to be configured separately for each Office application that you have installed on devices. Enterprises using Active Directory can apply group policies to different Organizational Units, allowing macros to be enabled for a specific subset of the people in your organization.
Microsoft publishes documentation explaining the group policy settings available for Office 2016, Office 365 ProPlus and Office 2019.
Microsoft also publishes a security baseline for Office 2016 and Office 365 ProPlus. Their baseline includes their recommended security settings for the whole of the Office suite on Windows, including some of the settings recommended by this guidance.
You may need to install the Administrative Template Pack for Office 365 ProPlus, Office 2019 and Office 2016 to be able to configure the Group Policies below.
Configuration to disable the Office macro engine
You can set a policy to disable macros across all Office applications:
Group policy | Value |
|---|---|
User Configuration > Administrative Templates > Microsoft Office 2016 > [Application name] Settings > Security Disable VBA for Office applications | Enable |
If you choose to leave macros enabled for some applications, you should set the policies to disable them for the other Office applications. You should also configure the recommended security mitigations in the following section (this is not necessary if you disable macros for all Office applications):
Group policy | Value |
|---|---|
For each of Access, Excel, PowerPoint, Project, Visio and Word: | Enabled |
For Access: | Enabled |
For Outlook: | Warn for signed, disable unsigned |
For Publisher: | Enabled |
Configuration to only allow digitally signed macros
You will need to set a group policy for each Office application that you want to configure. We suggest also configuring the recommended security mitigations in the following section, even if you only allow digitally signed macros across the Office suite.
Group policy | Value |
|---|---|
For each of Access, Excel, PowerPoint, Project, Visio and Word: | Enabled |
For Access: | Enabled |
For Outlook: | Never warn, disable all |
For Publisher: | Enabled |
Configuration to enable recommended macro security mitigations
These settings are recommended for all Office deployments that allow any use of macros.
Group policy | Value |
|---|---|
Compute Configuration > Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction > Configure Attack surface reduction rules | Enabled |
User Configuration > Administrative templates > Microsoft Office 2016 > Security Settings > Macro Runtime Scan Scope | Enable for all documents |
For each of Excel, PowerPoint, Project, Visio and Word: | Enabled |
For Outlook: | Enabled |
Configuration to limit diagnostic data sent to Microsoft
If your organization is using the Security Policy Advisor, you will need to configure Office to allow just the required diagnostic data to be collected:
Group policy | Value |
|---|---|
User Configuration > Administrative Templates > Microsoft Office 2016 > Privacy > Trust Center > Configure the level of diagnostic data sent by Office to Microsoft | Enabled |
If not using the service, you can prevent diagnostic data from being collected entirely:
Group policy | Value |
|---|---|
User Configuration > Administrative Templates > Microsoft Office 2016 > Privacy > Trust Center > Configure the level of diagnostic data sent by Office to Microsoft | Enabled |
Configuration options for macOS devices
The mitigation options available on macOS can be deployed using an MDM across an enterprise. The recommended settings are available on version 16.16 of Office for Mac or newer.
Microsoft publishes documentation explaining preference settings available for Office 2016 and Office 2019.
Configuration to disable the Office macro engine
This setting will configure all Office applications that support macros; macros cannot be disabled per-application.
Domain | Key | Configuration |
|---|---|---|
VisualBasicMacroExecutionState | DisabledWithoutWarnings |
Configuration to enable recommended macro security mitigations
These settings are recommended for all Office deployments that allow any use of macros.
This setting will configure all Office applications that support macros; macros cannot be disabled per-application.
Domain | Key | Configuration |
|---|---|---|
AllowVisualBasicToBindToSystem | No | |
DisableVisualBasicExternalDylibs | Yes | |
DisableVisualBasicToBindToPopen | Yes | |
DisableVisualBasicMacScript | Yes |
Comparison of Microsoft Office versions
Some of the security-enabling features described above are only available in newer versions of Microsoft Office. Some features may also rely on Office being installed on a recent version of Windows 10 or macOS.
we recommend that you use the most recent version of Microsoft Office, and that all patches are applied
we recommend that you use the most recent version of macOS or Windows 10, and that all patches are applied
where possible, we recommend using the monthly channel of Office 365 ProPlus in preference to Office 2019 or earlier
we strongly recommend that you do not use versions of Microsoft Office that are no longer supported, including Office 2003 and Office 2007
Versions | Default Macro Behavior | Disable Macros | Disable high risk capabilities | Macro execution scanned by AV | Block from the internet | Trusted files (signature or location) |
Office 365 on Windows 10 | Block until the user clicks the Enable Macros button. | Per application | Yes | Yes | Yes | Yes |
Office 365 on macOS | Block until the user clicks the Enable Macros button | For all applications | Yes | No | No | No |
Office 2019, 2016, 2013 | Block until the user clicks the Enable Macros button | Per application | No | No | Yes | Yes |
* this feature was added to Office 2013 by Microsoft Update
Macros are supported by Office for Mac and offer similar functionality to Office running on Windows. They use a slightly different language and are run inside Apple’s sandbox. Therefore, malicious macros that are targeted at Windows versions of Office are less likely to be dangerous in Office for Mac.
Macros are not supported by Office Mobile apps and the Office Online browser-based document editors.