What has Microsoft changed 
about Office macros?

Explore the details of Microsoft’s new policy of auto blocking Office macros, and its impacts on the malware landscape

Discovering Microsoft’s evolving approach to Office Macros:

In early 2023, Microsoft unveiled significant changes to its policies concerning Office macros, demonstrating a proactive stance towards bolstering security measures. One notable change revolves around the default macro disabling policy for files originating from the Internet.

Going forward, macros will be blocked by default in all documents downloaded from the web. This means that users will no longer have the option to enable macro content with a simple click; instead,
blocking will be the default behavior. 

Microsoft’s shift towards a more cautious approach reflects their commitment to safeguarding users against potential macro-based threats. The decision to block macros by default emphasizes the importance of factors such as the file’s source, Trusted Locations, Trusted Documents, and the Sender’s digital signature. These elements play a crucial role in determining whether macros within downloaded documents will be allowed to execute.

Decoding the Mark of the Web:
Microsoft’s Shield Against Macro-Infected Office Documents

To grasp Microsoft’s protection mechanism against macro-infected office documents, it is crucial to delve into the concept of the Mark of the Web (MotW). This attribute plays a pivotal role in understanding how the process unfolds and safeguards users in the ever-evolving threat landscape. 

The Mark of the Web is an attribute that accompanies any file downloaded from the Internet and is compatible with the NTFS file system. When a file is downloaded, it possesses an alternate data stream that contains vital information, including the Zone Identifier. Most users may already be familiar with this aspect, as modern browsers automatically add the zone information when files are downloaded to an NTFS system.

The flowchart describes how Microsoft's macro blocking mechanism works and what it takes into consideration
Source: Microsoft

The Zone Identifier signifies the source or zone of the file and determines its behavior within the system. The zones include the Internet, restricted zone, local machine, intranet, and trusted zone. Each zone enforces distinct protocols and controls over the file, influencing how the system accesses and interacts with it.

A closer look: Microsoft’s Interface Changes for Office Macros

Let’s take a closer look at how recent changes in Microsoft’s approach have transformed the end user’s perspective on enabling macro content. By examining the previous version, you can see that users could easily enable macro execution with a simple click. The warning message displayed at the top, highlighted in yellow, even provided a convenient button to facilitate this action.

However, in the current version, enabling macros has become more challenging for users. They now need to navigate through a different application to authorize macro execution. This shift presents a significant test for Microsoft, which was one of the reasons of the long-standing presence of macro malware.

Screenshot shows the old and new warnings for Office macros, and the new warning structure makes it much harder to allow macros.
Old vs new: How the security warning to enable macros looks on the end user screens

After receiving immediate feedback and acknowledging the complexities involved, Microsoft initially rolled back the update. But eventually, they successfully resumed the rollout of the VBA macro auto-blocking feature. This milestone marks a significant step forward in enhancing the security of Office documents.

While it’s important to note that this change doesn’t guarantee complete safety, it undoubtedly contributes to a safer environment for both security practitioners and end users.

Let us now continue our journey by exploring the impact this change had on the threat landscape.

Chapter 9: 
What’s next in the post-macro threat landscape?

See VMRay in action.
See the context & depth it can bring to your Threat Hunting

Further resources


Watch the full recording of our webinar delivered at SANS Solutions Forum


Explore how you can benefit from VMRay’s capabilities for Threat Hunting



Learn the features and benefits that make DeepResponse the best sandbox.

Welcome to the playground.

Explore what you can do with VMRay.

Click on the yellow dots to check the report formats, see the overview, explore the network connections of the sample, malicious behavior, and relevant files, map the threat on MITRE ATT&CK Framework, analyze and download IOCs and artifacts.

The analysis report tabs are available both for VMRayDeepResponse and VMRayTotalInsight. The bundle of VMRay FinalVerdict and VMRayDeepResponse also offers access to the analysis report tabs.

We’re sorry. 

The interactive tour is not available on mobile devices.

Unveiling the power:
See our experts showcasing VMRay’s capabilities.

Analysis of a malicious file

Join Fatih Akar from the VMRay team as he provides a detailed walkthrough of a malicious LNK file, a prevalent attack vector since Microsoft’s Office macros block.

Gain valuable insights into each tab of our comprehensive analysis report and get a sneak peek into what you’ll be exploring.

Analysis of a malicious URL

Join Andrey Voitenko, an expert in advanced malware and phishing analysis from the VMRay team, as he demonstrates how to submit emails and URLs to the VMRay platform using built-in connectors.

Discover the capabilities of our new Automation Dashboard, enabling one-click automation with your existing EDR, SOAR, SIEM, and TIP tools. Monitor analysis data seamlessly from your VMRay dashboard and unlock new levels of efficiency in your security operations.

Integrating with existing tools

Watch Michael Bourton showcasing the seamless integration of VMRay platform with your existing security stacks.

Discover how effortlessly you can leverage unparalleled detection and analysis capabilities by utilizing dedicated connectors or our Rest API.

Experience VMRay in Action:
Explore Real-world Malware Analysis Reports

Get a firsthand look at the power and capabilities of the VMRay platform by delving into our sample malware and phishing analysis reports.

Immerse yourself in a range of report formats, providing comprehensive insights.

Dive into the overview, explore intricate network connections, analyze malicious behavior in detail, and map threats using the MITRE ATT&CK Framework. See the possibilities to download clear IOCs.

Uncover the capabilities that await you.

Calculate how much malware false positives are costing your organization:
Malware False Positive Cost Calculator