Yes, VBA-Enabled Office Docs are a Significant Threat

As I wrote about recently, Microsoft will begin blocking VBA macros in Office documents downloaded from email or the internet.

Understandably, this has caused quite a stir among Microsoft Access developers, not to mention the broader VBA development community.  The new restrictions will make it harder for users to run Office documents with legitimate VBA code if they get those documents via email or the web. This is by design.

... and ...

It's the right decision by Microsoft.

Office Documents with VBA Macros are a Substantial Threat

According to Kevin Beaumont, former Microsoft employee and cybersecurity expert,

"Macros account for about 25% of all ransomware entry."

Kevin chose his words carefully there.  The operative word in his quote is, "entry."  Very little actual ransomware is written in VBA.  Rather, VBA's role is to open the door for the ransomware executable to come inside.

A great deal of modern ransomware uses the following approach:

  1. Email an infected Office document (Word, Excel, etc.) to an employee
  2. Convince employee to open document and enable macros
  3. Use embedded VBA to download malware from internet
  4. Run actual malware program written in C or C++
  5. Extort large sums of money from compromised organization

Here's a handy infographic from fossbytes.com:

Why VBA as a Malware Delivery Tool?

Years of telling users to NEVER run an application that someone emails to you–plus the fact that email clients and servers almost universally block the download and/or attachment of executable files–means that it's close to impossible for an attacker to deliver the actual ransomware software via email.

But, users get Office documents emailed to them all the time.  Most of the time, it's perfectly safe to open them.  This results in users being less suspicious of Office documents.

If you've spent any time working in information security, you know that the biggest vulnerability is almost always people.  And modern-day social engineering techniques have come a long way since I first heard about the sudden passing of my long lost great uncle in Nigeria.

If you think the current yellow [Enable Macros] bar is sufficient, you may want to reconsider after seeing some of these devious subterfuges:

https://research.checkpoint.com/2022/the-death-of-please-enable-macros-and-what-it-means/
https://research.checkpoint.com/2022/the-death-of-please-enable-macros-and-what-it-means/
https://research.checkpoint.com/2022/the-death-of-please-enable-macros-and-what-it-means/
https://nakedsecurity.sophos.com/2014/09/17/vba-injectors/
https://www.virusbulletin.com/blog/2014/11/macro-malware-rise-again
https://research.checkpoint.com/2019/malware-against-the-c-monoculture/
https://www.fortinet.com/blog/threat-research/microsoft-excel-files-increasingly-used-to-spread-malware
https://thehackernews.com/2019/01/microsoft-gandcrab-ursnif.html
https://securitynews.sonicwall.com/xmlpost/malicious-vba-macro-uses-clsid-to-create-shell-object/

Referenced articles

Office to Disable All VBA Code in Files from the Internet
Beginning in April 2022, users will no longer have the option to manually enable VBA code in Office files downloaded from the internet.

External references

Microsoft to block Office VBA macros by default
Microsoft is planning to block VBA macros in Office. Any Office files downloaded from the internet will have macros blocked by default, in a security push.
The Death of “Please Enable Macros” and What it Means - Check Point Research
Introduction On the 7th of February, Microsoft announced an impending change to its ubiquitous suite of Office apps. In Microsoft’s own words: “VBA macros obtained from the internet will now be blocked by default”. The change is expected to begin rolling out in early April. Technically speaking, VBA…
The Simplicity of VBA Malware (Part 1 of 2)
Macro malware targets Microsoft Office applications (Word, Excel, etc.). Malicious VBA macros are used to infect anyone who opens the file, mostly with Trojan

Image by Peter H from Pixabay