2 min read

MS Office macros from the internet probably won't be blocked by default

The media coverage about Microsoft blocking by default macros from running in Office files from the Internet is wildly overstating the reality of this super small and almost insignificant change.

Some simple facts

  • Doesn’t affect Office 'on the web' at all
  • This only effects VBA macros
  • This is not the same as 'Office Scripts'
  • Doesn’t affect Office on a Mac, or any iOS devices
  • Doesn’t affect Office on Android
  • Might (in the future) work on Office LTSC, Office 2021, Office 2019, Office 2016, and Office 2013
  • Will only work on fully patched (Preview only) office in early April 2022, general availability approx. June 2022 (again, only if fully patched)
  • Only works on Windows versions of; Access, Excel, PowerPoint, Visio, and Word
  • Will only work for email attachments if the C drive is NTFS (not FAT)
  • Will not work for files on network shared drives
  • Will not work for files from USB unless it is NTFS formatted USB
  • Appears to not work for malicious files opened and then "Save As" to USB or shared drive and opened again (removes MOTW)
  • Will not work for OneDrive files because it's trusted
  • Will not work for SharePoint files because it's trusted

It's clear this change is a good start at tackling an extremely impactful cybersecurity issue, but it is a change that has a very limited scope of where it will work and it is something that should have been done a decade ago. This is what we are talking about:

That will show in an extremely limited scenario, but it should always show by default without any limitations.

So is it not only a decade or more late, it's also so insignificant of a change that any praise given to Microsoft is like giving a large trophy to the Olympians who did not qualify or did not finish their event - it's pretty crazy to give Microsoft any credit when the so-called 'fix' doesn't actually fix anything in reality because it is so easily avoided and in most phishing scenarios (most are targeted) it doesn't even impact at all.

This will stop the spam phishing campaigns

But spam is not the threat we're seeing in the wild, the successful phishing is always targeted and this change by Microsoft will not help us defend against any targeted phishing at all.