Office Macros: What They Are and Why You Should Disable Them


Microsoft Word, Excel, or PowerPoint users may be aware of macros but are not totally sure what happens when they are enabled.

Macros are a series of operations that can be performed with a single keystroke or command in order to automate routine processes. Suppose, let’s assume that you are given a massive collection of financial data that has to be rearranged by name, amount, and date. You could enable a macro to name the first cell of column A as ‘Name’, column B as ‘Amount’, and column C as ‘Date’, then have it sort the raw data into the appropriate fields.

These processes can be recorded with the built-in macro recorder in Excel; and after it has been set up, you can assign the macro to a keyboard shortcut or quick access button; and execute the macro whenever you need to format similar sets of data.

It’s a nifty trick for employees who want to eliminate time-consuming tasks. However, there’s a huge risk with enabling macros in Microsoft Office; and here’s what you need to be aware of.

Macro viruses

Macros are actually quite powerful if you want to get up to no good. For instance, cybercriminals can embed macros in Office documents that can manipulate or delete files in your hard drive; or download malware from the internet. If nefarious macros are in a document; an unsuspecting user could set it off by hitting a common keyboard shortcut or by simply opening that file.

Macro attacks were prolific in the 90s, the most effective being the Melissa virus. This Microsoft Word macro would run automatically; read the first 50 people from the victim’s Outlook account; and send each contact a copy of the malware-infested file; flooding inboxes and slowing down email servers.

Although Office 2016 products have much stronger safeguards; the lack of knowledge about macros and sophisticated social engineering attacks allow hackers to dupe users time and time again.

In 2016, phishing emails titled “ATTN: Invoice” containing a macro-infected Word attachment were used to deliver the Locky ransomware; successfully taking 446,000 computer networks hostage, according to Palo Alto Networks. And earlier this year, cybercriminals began targeting more Mac users with boobytrapped Office files; that would automatically download malware, access webcams, and read browser history when a user enables macros on the document.

Preventing infection

The best way to avoid these attacks is by disabling macros altogether. In most cases; Office products prevent macros from running by default. They open a protected view of the document with a notification that macros have been disabled unless you press the “Enable this content” option.

To confirm this setting applies to you; click Options under the File menu, access Trust centre, then Macro Settings, and select “Disable all macros with notification.” This way, you can choose to enable macros on a case-by-case basis.

Another setting is “Disable all macros except digitally signed macros.” This displays a security notification for macros that were developed by a certified publisher, allowing you to decide whether to enable or disable them. Any unsigned macros are automatically disabled so you don’t have to deal with them.

Group Policies

There is, however, a possibility that an employee can ignore the security warnings and enable macros. But with Office 2016’s new Group Policy Management feature, company administrators can control macro security settings per application.

To set a policy wherein no employee is able to accidentally enable macros — and thereby open your systems up to malicious macros — run the Group Policy Management Editor, and go to User Configuration. Click on Administrative templates > Microsoft Excel 2016 > Excel options > Security > Trust Centre. Then open “Block macros from running in Office files from the internet” setting to configure and disable macros from any of the following sources:

  • Documents from file-sharing sites
  • Email attachments
  • Files from cloud service providers like G Suite, OneDrive, and DropBox

Group policies act as a second line of defence in case employees missed the initial macro security warning. And if users did attempt to enable macros from an online document; they’d be greeted with a notification saying macros had been blocked by the enterprise administrator.

Of course, if the Office file is saved in a trusted location like a local server; macros would be allowed to run.

Final recommendations

Apart from these settings, end-users must create a list of trusted macro-embedded documents; so they can easily identify whether a certain file is dangerous. Macro threats and the importance of disabling macros should be thoroughly discussed in your organisation.

It’s important to be cautious of strange files with unclear origins. Most macro-based attacks are distributed via phishing emails; where hackers will masquerade as a bank teller or IT technician to trick employees into enabling malicious macros. As such, treat email attachments with .docm, .xlsm, or .pptm extensions with more scrutiny; as these files could potentially host malware.

In any case, always make sure to assess who published or digitally signed the document; and if the macro-embedded file was developed by a manager or co-worker, promptly contact them to verify the legitimacy of the file.

Macros offer plenty of productivity-boosting opportunities; but you and your employees have to approach them with caution. The resurgence of macro-based malware is proof that hackers will use any trick to catch you off guard.

When you contact Empower IT; you get a full cybersecurity implementation plan that protects your business from ransomware, cloud attacks, rogue Office documents, and other cyberattacks. Send us a message today to fortify your defences.