CIS Logo
tagline: Confidence in the Connected World

Intel Insight: How to Disable Macros

Overview

The MS-ISAC observes specific malware variants consistently reaching The Top 10 Malware list. These specific malware variants have traits allowing them to be highly effective against State, Local, Tribal, and Territorial (SLTT) government networks, consistently infecting more systems than other types of malware. An examination of the characteristics of these malware variants revealed that they often abuse legitimate tools or parts of applications on a system or network. One such legitimate part of an application is macro instructions.

Understanding the Threat Surface

Macro instructions (macros) are a set of rules or instructions used to automate repetitive or complex tasks. These instructions are compressed into a smaller form, which when used, are decompressed into the original instruction details. Macros are often used by cyber threat actors (CTAs) to obfuscate the delivery of malicious payloads. CTAs utilize social engineering to trick end users into opening malicious Microsoft Word or Excel attachments included in Malspam emails. Once an end user opens the attachment, they are prompted to enable Macros. If the user follows the prompt and enables macros, the malicious payload will automatically run, infecting your system. CTAs utilize macros to bypass cybersecurity by obfuscating the instructions for their malicious tasks in the compressed macro file.

Recommendations

Configurations can help automatically block macros from running. After evaluating your environment and appropriate testing, use Group Policy to block or disable macros from running in Microsoft Word, Excel, and PowerPoint; including files downloaded from the Internet and those that are not digitally signed. This setting allows you to block macros from running even if “Enable all macros” is selected in the macros settings. Additionally, the digital signature acts as a way of validating who sent the document, preventing the accidental enabling of macros on a document containing a malicious payload. The MS-ISAC recommends organizations use the CIS Benchmarks and CIS Build Kits, which are a part of CIS SecureSuite.

Please see below for detailed steps on globally disabling macros.

For disabling Microsoft Office macros via Active Directory / Domain Controller

This feature was highlighted in Microsoft Office 2016.

  • Install the Office 2016 Administrative Template files (ADMX/ADML) and Office Customization Tool on the Active Directory Domain Controller
  • Upon completing the installation:
    • Click Start Menu > Control Panel > System and Security > Administrative Tools.
    • Open the Group Policy Management Console.
    • Right-click the Group Policy Object you want to configure and click Edit.
    • In the Group Policy Management Editor, go to User Configuration.
    • Click Administrative templates > Microsoft Word 2016 > Word options > Security Trust Center.
    • Open the Block macros from running in Office files from the Internet setting to configure and enable it.
    • Or if Macros are needed in your environment, open the Disable all macros except digitally signed macros.

For disabling Microsoft Office macros via the End-User

The below instructions are for Office 365 Subscriptions, Office Online, Office 2019, Office 2016, Office 2013, and Office 2010.

Macro settings are located in the Microsoft Office Trust Center, which can be accessed using any of the Microsoft Office programs. Note: Your organization may have changed the default settings via the Active Directory / Domain Controller to prevent anyone from changing these settings.

  • Click the File
  • Click
  • Click Trust Center, and then click Trust Center Settings.
  • In the Trust Center, click Macro Settings.
  • Make the selections that you want.
  • Select the macro setting that is appropriate for your organization (The MS-ISAC recommends one of the three settings below):
    • Disable all macros without notification
    • Disable all macros with notification
    • Disable all macros except digitally signed macros
  • Click OK.
  • Macros or all non-digitally signed macros are now disabled for the current End-User Profile.

For more information please visit Microsoft’s webpage on Blocking Macros and Enabling or Disabling Macros.

 

The MS-ISAC is the focal point for cyber threat prevention, protection, response, and recovery for the nation’s state, local, tribal, and territorial (SLTT) governments. More information about this topic, as well as 24x7 cybersecurity assistance is available at 866-787-4722, SOC@cisecurity.org. The MS-ISAC is interested in your comments - an anonymous feedback survey is available.