Microsoft has announced (https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/) that there is a new group policy setting in macro security that blocks macros from files that arrives from Internet. If there is one setting you should implement in your organization, it is this one. This setting will make attacks through attachments in emails much harder. Microsoft’s Office 365 Advanced Threat Protection Service indicates that 98% of Office-targeted attacks use macros as their attack method. Many organizations use macros actively as a tool in their advanced spreadsheets and by default macro is enabled, or at least the user can choose to actively run the macro just by pressing a button like this one:
Attackers often fool users to click on the “Enable Content” button. I illustrated this in one of my previous blogposts http://msitpros.com/?p=3253 . The new group policy setting is genius, because it will not display this button if the file arrives by email or if it is opened from an untrusted location. This will make sure that the files that are stored on the file servers still can use macros and will not interrupt productivity. In order to enable this setting you can either use the ADMX for Office 2016 or create a REG_DWORD named blockcontentexecutionfrominternet with the value of 1 in the following locations:
If you want to do it the group policy way, the group policy administrative templates can be downloaded here: https://www.microsoft.com/en-us/download/details.aspx?id=49030
And after you have added the templates to your group policy the settings can be found under “User Configuration – Administrative templates – Microsoft “Word/Excel/PowerPoint” – “Word/Excel/PowerPoint” options – Security – Trust Center. The setting is named “Block macros from running in Office files from Internet”. You can also read more about the setting here: https://technet.microsoft.com/en-us/library/ee857085%28v=office.16%29.aspx#blockvba
When this setting is enabled the user will see this instead of the normal security warning get “Macros in this document have been disabled by your enterprise administrator for security reasons.” :
The file I am illustrating in this blogpost was sent by email. If the user saves this document to their documents folder or a trusted file server, the normal “Enable Content” button will appear.
I must say I really like this approach by Microsoft and it will make the life much harder for both Cyber Criminals and Penetration testers. Great work Microsoft! Now it is just up to all IT-pros to implement it.
Just do it and it will make your environment more secure!