In February 2022, Microsoft announced that VBA macros would be blocked by default in Office documents downloaded from the internet. This was the single most impactful security change Microsoft could make. For over two decades, macro-enabled Office documents had been the primary initial access vector for malware campaigns worldwide.
But blocking macros did not end the threat. It shifted it. Attackers adapted with remarkable speed, and the supply chain implications have evolved in unexpected directions.
The Pre-2022 Landscape
Before the default block, the attack pattern was simple and effective:
- Send a document with an embedded VBA macro via email or a compromised website.
- The document opens with a banner asking the user to "Enable Content."
- User clicks the button, the macro executes, malware is downloaded and installed.
This pattern powered Emotet, TrickBot, QakBot, and countless other malware families. It worked because the barrier -- a single click on a yellow banner -- was trivially bypassed through social engineering.
VBA macros had unrestricted access to the Windows API through Declare statements, could create COM objects, write files, execute processes, and modify the registry. A macro could do anything the user could do.
The Post-Block Adaptation
After Microsoft's change, documents downloaded from the internet (marked with the Mark of the Web, or MOTW) have macros disabled without a simple enable button. Users must actively navigate to file properties and unblock the file.
Attackers responded with several adaptations:
Container files to strip MOTW. ISO, IMG, VHD, and ZIP files do not always propagate the MOTW to their contents. An attacker could embed a macro-enabled document inside an ISO file. When the user mounts the ISO and opens the document, the MOTW is absent, and macros run without the block.
LNK files with embedded commands. Windows shortcut files can execute arbitrary commands. Attackers replaced macro-enabled documents with LNK files that download and execute payloads directly.
OneNote files. Microsoft OneNote files (.one) became a popular delivery mechanism because they supported embedded scripts and did not receive the same macro blocking treatment initially.
HTML smuggling. JavaScript embedded in HTML emails or web pages can construct and download malicious files directly in the browser, bypassing email attachment scanning.
XLL add-in files. Excel add-in files (.xll) are DLLs that Excel loads and executes. They provide native code execution without going through the VBA macro pathway.
Supply Chain Implications
The macro threat intersects with supply chain security in several ways:
Macro-enabled templates in repositories. Organizations that maintain shared document templates with macros in their repositories create a supply chain risk. If the repository is compromised, the templates can be modified to include malicious macro code. Every document generated from the compromised template inherits the malicious payload.
VBA libraries and shared code. Large organizations often maintain VBA code libraries that are imported into multiple documents and spreadsheets. A compromise of these libraries propagates to every document that uses them.
Office add-ins. COM add-ins and VSTO add-ins run native or .NET code within the Office process. The supply chain for these add-ins includes NuGet packages, COM components, and deployment mechanisms that can all be targeted.
Document generation pipelines. Applications that generate Office documents (using libraries like Apache POI, OpenXML SDK, or python-docx) can be manipulated to embed malicious content if the generation pipeline is compromised.
Detection Challenges
Modern macro detection must contend with sophisticated obfuscation:
VBA stomping replaces the VBA source code in a document with benign code while keeping the compiled p-code (which is what actually executes) malicious. Scanners that examine the source code see nothing suspicious.
Environmental keying makes macros check for specific environment conditions before executing the malicious payload. The macro runs benign code in sandbox environments and malicious code only on the target.
String obfuscation through concatenation, encoding, and variable substitution defeats signature-based detection.
Auto-open triggers can be attached to events beyond AutoOpen() and Document_Open(). Macros can trigger on document close, print, form events, or even specific cell changes in Excel.
Current Best Practices
Enforce the macro block policy. Use Group Policy to block macros in files from the internet across your organization. Do not allow exceptions.
Block high-risk file types at the email gateway. ISO, IMG, VHD, XLL, and other container formats should be blocked or heavily scrutinized in email.
Use ASR rules. Windows Defender Attack Surface Reduction rules can block Office applications from creating executable content, creating child processes, and injecting code into other processes.
Inventory macro-enabled documents. Know which documents in your organization legitimately use macros. Maintain a signed and approved list. All others should be blocked.
Monitor document generation pipelines. If your organization generates Office documents programmatically, ensure the generation libraries and templates are monitored for unauthorized modifications.
How Safeguard.sh Helps
Safeguard.sh monitors the libraries your organization uses for document generation and processing, tracking vulnerabilities in Apache POI, OpenXML SDK, python-docx, and similar packages. When a vulnerability is found in a document processing library in your dependency tree, Safeguard.sh alerts you with the context needed to prioritize remediation -- which projects are affected, what the vulnerability enables, and what version resolves it.