This guidance describes how administrators can help protect their systems from malicious Microsoft Office macros. It outlines why macros are a threat, and the approaches you can take to protect your devices.
We recommend you also read the Australian Cyber Security Centre’s technical document on macro security.
What are macros, and why are they a problem?
A macro is a small program that is often written to automate repetitive tasks in Microsoft Office programs – such as splitting data into separate columns in an Excel spreadsheet or inserting information from a database into a Word document. Macros are written in Visual Basic for Applications (VBA) and are saved as part of the Office file.
Macros are usually created for legitimate reasons, but they can also be written by attackers to gain access to or harm a system, or to bypass other security controls such as application whitelisting. Microsoft’s July 2015 Macro Malware Threat Intelligence Report highlighted the UK as a prominent target for malicious macros. A recent Microsoft blog also highlighted that 98% of Office-targeted threats detected by the Office 365 Advanced Threat Protection service use macros.
Macros are often part of a phishing or spear phishing campaign. In this, an attacker sends emails with files containing a malicious macro, and tries to convince the user to enable the macro. Techniques (such as these seen by Microsoft) successfully use social engineering to trick well-intentioned users into enabling malicious Office macros.
Protecting your systems from malicious macros
The only fully effective way to protect your systems against malicious macros is to disable all of them. However, this is not a particularly practical solution, as there are often legitimate business reasons to allow the use Office macros.
The several strategies outlined below can reduce the risk from macros. You will need to find the combination of mitigations that is most effective for you, as different organisations use macros in different ways. That said, all installations of Microsoft Office should:
- disable Office macros except in the specific apps where they are required
- only enable macros for users that need them day-to-day
- use a recent and fully patched version of Office and the underlying platform, ideally configured in line with the NCSC’s EUD Security Guidance
Disable macros where they’re not needed
If your organisation does not use macros, they should be turned off entirely.
The default installation of recent versions Microsoft Office on Windows have macros enabled, but rely on the user to click a button before any macros can run. You should change this default behaviour to only allow macros where they are needed.
Macros are configured per-application. This allows you to identify which Office applications need macros to be enabled, and disable them in the applications where they are not used. For example, if your organisation only uses macros in Excel, you can block them in all other Office applications so that you will be protected from malicious Word, PowerPoint, Visio, Access and Publisher documents.
Larger organisations should consider only enabling macros for the specific groups or teams that need them in their day-to-day work. This allows training to be better-focused and appropriately targeted for these smaller sets of users, to help them understand social engineering techniques and agree sensible protective measures.
Disable macros unless they are in trusted files
Organisations that have a code signing service can choose to configure Office to only allow digitally signed macros to run. This is lower risk than allowing an Office application to open any macro. Note that the feature will run macros signed by any trusted signature to run. Therefore, the mitigation will only be effective if Windows is fully patched and the organisation has the ability to revoke trusted root certificates across its devices.
If there is no code-signing service available, Office can be configured to only allow macros if the file is loaded from a trusted location, such as a specific folder, file share or website. Your organisation will need to define that list of trusted locations. This mitigation will be most effective if you can limit the number of people that can save files to those locations.
Block macros from the Internet
Office 2016 on Windows introduced the ability for an organisation to block macros in files received from the Internet. The feature was added to Office 2013 in the August 2016 monthly update. A user can’t be lured to press a button in Office applications to bypass the warning, making it an effective mitigation.
The feature relies on a tag that is added to the file when it comes from the Internet. It relies on a security feature that is fully supported by current versions of Outlook, Chrome, Edge, Firefox and Internet Explorer. Office can only protect itself while that tag remains attached to the file, which may be lost if the file is moved to a USB stick or some content management systems.
Note that it is usually not practical to block the file types that can contain macros as they can be found in commonly used legacy formats (such as .RTF .DOC and .DOT) as well as the newer formats that explicitly mark themselves as containing a macro (such as .DOCM and .DOTM).
Detect and reduce the impact of malicious macros
It is sometimes necessary to receive documents containing macros from other organisations by email or from internet-hosted document shares. In those cases, it is difficult to write rules that define trusted locations because legitimate macros will just be seen as coming from the Internet.
You can reduce the chance of a malicious macro reaching a user if you use an anti-malware product that includes macro scanning capabilities. It could be a part of your email service (such as Exchange Online ATP) or a feature of the anti-malware software on the user’s device.
We recommend that devices used on the Internet are configured in line with the NCSC’s End User Devices Security Guidance. While Windows AppLocker will not prevent malicious macros from running, a configuration such as the one suggested in the guidance for Windows 10 is often effective in blocking malware that is downloaded/extracted from the macro.
Configuration options
Most of the mitigation options above can be configured using Group Policy across an enterprise, or Local Group Policy on an individual machine. Administrator-controlled Group Policy ensures that a user cannot be socially engineered into changing a setting in the Trust Center inside the Office product.
Group Policy will need to be configured separately for each Office application that you have installed on devices. In an enterprise, Group Policy can be applied to different Organizational Units, allowing macros to be enabled for a specific subset of the people in your organisation.
Microsoft publishes implementation guidance explaining the group policy settings available for Office 2016.
Comparison of Microsoft Office versions
The following table allows you to compare how the various versions of Microsoft Office on Windows deal with macros. In addition:
- we recommend that you use the most recent version of Microsoft Office, and that all patches are applied
- we strongly recommend that you do not use versions of Microsoft Office that are no longer supported, including Office 2003
| Versions | Support | Default Macro Behaviour | Block from the Internet | Trusted locations | Require digital signature | Block per application |
| Office 2016 | Supported until 2025 | Block until the user clicks the Enable Macros button | Yes | Yes | Yes | Yes |
| Office 2013 | Supported until 2023 | Block until the user clicks the Enable Macros button | Yes* | Yes | Yes | Yes |
| Office 2010 | Supported until 2020 | Block until the user clicks the Enable Macros button | Yes | Yes | Yes | |
| Office 2007 | Supported until 2017 | Block until the user clicks the Enable Macros button | Yes | Yes | ||
| Office 2003 | Not supported | Macros run automatically | Yes | Yes |
* this feature was added to Office 2013 by Microsoft Update
Macros are supported by Office for Mac and offer similar functionality to Office running on Windows. They use a slightly different language and are run inside Apple’s sandbox. Therefore, malicious macros that are targeted at Windows versions of Office are less likely to be dangerous in Office for Mac.
Macros are not supported by Office Mobile apps and the Office Online browser-based document editors.
Source: NCSC
