Macros are programs built inside office productivity software to automate tasks. Just like most programs, macros are flexible and give the writer the ability to download and execute other files. This flexibility can also be used by attackers to trick users into downloading and running malware.
A common tactic that we see are phishing emails sent by attackers that are framed as overdue invoices. The invoices attached are macro-supported files that have instructions to tell the users to enable macros in order to view the file. Once enabled, the macros are run and are able to download and execute ransomware.
There are valid business reasons for using macros, however it is important to make sure you have secure configurations set by default so only the macros you know and trust are run.
The intent of this control is for organisations to set the default configurations for macros to deny. Secure configurations are set for users that have a reason to use macros so the users can make sure they are only running macros they know and trust.
There are multiple different ways to configure your network. Regardless of your design, the goals of this control are:
- All users have macros disabled by default and this can’t be re-enabled by the user.
- Macros are enabled on a user group basis. Only users who have a need to access macros are added to this group.
- Macro-enabled user group have configurations set to either:
- Only allow macros to run from trusted locations, or
- Only run macros that are digitally signed.
- Macro-enabled user group is reviewed to ensure all users still require macros (and follows the principle of least privilege).
- Logs are recorded and stored in a central location to capture execution of file types that have macros, such as .docm, .pptm, .xlsm
Key secure macro configuration takeaways
- Make sure users who have a business need for macros are aware of what a malicious macro might look like. They often come hidden in unexpected phishing emails. Users who have access to run macros should be aware they should not run macro-enabled files they are not expecting and instead should report them internally.
- You can use defence-in-depth to make the most of this critical control. Combining secure macro defaults with principle of least privilege and application whitelisting will limit the likelihood of your organisation being hit with a malicious macro. You could also consider using email and website filtering to further limit the possibility of a user downloading a macro-supported file.