25 years on, Microsoft makes another stab at stopping macro malware

Graham Cluley
Graham Cluley
@[email protected]

25 years on, Microsoft makes another stab at stopping macro malware

Bravo to Microsoft, because it sounds like they’re doing something to improve the security of Office users.

Way back in 1995, Microsoft accidentally shipped a virus on CD-ROM. At first Microsoft refused to call it a virus, preferring to call it a “Prank macro,” but WM/Concept as it became known was the first widespread virus capable of spreading via Microsoft Word documents.

In fact, Concept became the most widespread computer virus of any kind – largely because users were much more likely to exchange Word documents with their colleagues than floppy disks or .EXE files.

Sign up to our free newsletter.
Security news, advice, and tips.

Thousands of other macro viruses came in Concept’s wake, fuelled by the fact that each macro was written in a high level language and came complete with its own easy-to-edit source code – meaning that any ne’er-do-well could easily create their own variant with subtle changes.

One of the ways in which Microsoft eventually attempted to curb the spread of macro malware was to display a yellow warning strip along the top of Word documents that contained macros.

Security warning

Security Warning. Macros have been disabled. <Enable Content>

Unfortunately, with clever social engineering, unsuspecting users could be tricked into clicking that “Enable Content” button and allowing the malicious macros to run.

In the following example, for instance, the document claims to be encrypted and unsuspecting recipients are told to enable macros to view the message.

Malicious word document

In the years that followed Concept, cybercriminals have used poisoned Word documents and malicious macros to deliver malware to companies around the world – and they have often tricked targeted users into enabling macros as the first step of the attack.

But now, more than 25 years after it first distributed the Concept virus on CD-ROM and kickstarted the whole problem, Microsoft has done something which might be more successful at stopping the spread of macro malware.

Microsoft has announced that from April 2022 it is changing the default behavior of Office applications so that they block macros in files from the internet.

What’s more, it won’t give users a simple one-click way to allow the macros to run, foiling much of the social engineering tricks commonly used by cybercriminals.

And there’s no more yellow strip. It’s changed its hue to red.

Red strip

SECURITY RISK: Microsoft has blocked macros from running because the source of this file is untrusted. <Learn More>

And clicking on “Learn more” will take you to a Microsoft webpage where it explains in detail why the macros have been blocked from running, and makes any user who really still wants to run the macro to jump through some hoops.

No-one is suggesting that this is the end of macro malware, or even the end of attempts by cybercriminals to socially engineer potential victims into allowing macros to run, but it will surely help reduce the chances of success.

What a concept, eh?

For more information, be sure to read this great blog post on the Checkpoint website, and refer to Microsoft’s guidance as to how you can manage macro policies in your company.

And for further discussion on the topic, be sure to listen to episode 262 of the “Smashing Security” podcast:

Smashing Security #262: 'Macro progress, eyeball-tracking ads, and encryption backdoors'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.