Many years ago, Microsoft turned off macro execution in Office by default. This is probably the end of it, as ArcticWolf has now discovered. This clears the way for attacker networks such as Quakbot or Emotet, since they primarily attack via macros in documents. A new security risk.
Microsoft has abolished the automatic deactivation of macros in various Office programs. Ian McShane, Arctic Wolf's vice president of strategy, comments on Microsoft's actions and what it means for cyber security.
Microsoft is rolling back security
“It is unfortunate and disappointing that Microsoft is withdrawing its initiative to disable Office macros by default. Disabling Office macros by default was a big step forward in securing one of the most popular attack vectors. Malware like Quakbot and Emotet are distributed through these types of malicious documents, wreaking havoc on businesses worldwide.
Whether this action was rolled back due to technical concerns or customer feedback, it means Office users are less secure today than they were last week. As a result, security teams must be on high alert and re-educate users about the risks of active content in Office documents. I was surprised to hear that there were plans to address this issue with macro disabling by default, but am even more surprised that those plans have been withdrawn.
Ease of use vs. security
Overall, the trade-off of usability vs. security is a big issue to solve. However, disabled macros involve less effort for users compared to the damage of a successful Emotet attack. This attack path has been a known problem for decades - and unfortunately, the risk of macros has always been passed on to end users rather than addressing it at source. I would expect an increase in macro-based cyberattacks now that this attack path has become easier again.” said Ian McShane, Vice President of Strategy at Arctic Wolf.
More at ArcticWolf.com
About Arctic Wolf Arctic Wolf is a global leader in security operations, providing the first cloud-native security operations platform to mitigate cyber risk. Based on threat telemetry spanning endpoint, network and cloud sources, the Arctic Wolf® Security Operations Cloud analyzes more than 1,6 trillion security events per week worldwide. It provides company-critical insights into almost all security use cases and optimizes customers' heterogeneous security solutions. The Arctic Wolf platform is used by more than 2.000 customers worldwide. It provides automated threat detection and response, enabling organizations of all sizes to set up world-class security operations at the push of a button.