fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

How to Auto Block Macros in Microsoft Office Docs from the Internet

How to Auto Block Macros in Microsoft Office Docs from the Internet

With Microsoft temporarily rolling back a feature that automatically blocks macros in Microsoft Office files downloaded from the Internet, it is essential to learn how to configure this security setting manually. This article will explain why users should block macros in Internet downloads and how you can block them in Microsoft Office.

A common distribution method used by some of the most notorious malware, including Emotet, Dridex, Qbot, and RedLine stealer, is to send phishing emails containing malicious Word or Excel documents with macros that install the malware on the target’s devices.

To prevent this distribution method, Microsoft announced in February that Microsoft Office would automatically block VBA macros in documents downloaded from the Internet starting in June.

This announcement was met with resounding support from many Windows admins, cybersecurity professionals, and end-users who saw it as having a significant impact on the security of Windows.

However, soon after the feature went live in June, Microsoft suddenly and without any real explanation rolled back this change, leaving Windows and Microsoft Office users once again at risk from Office documents with malicious macros.

While the rollback is only temporary until customer concerns are addressed, the good news is that you can manually enable this feature on your devices using group policies.

Also Read: The DNC Registry Singapore: 5 Things You Must Know

Understanding the Mark-of-the-Web

Before we explain how to automatically block macros in Microsoft Office files downloaded from the Internet, it is essential to understand a Windows feature called the ‘Mark-of-the-Web’.

The Mark-of-the-Web is a special NTFS alternate data stream added to downloaded files that tells Windows and supporting applications, such as Microsoft Office, that the file was downloaded from the Internet and should be considered risky to open.

When a file has a Mark-of-the-Web, and you try to open it, Windows will display additional warnings to the user, asking if they are sure they wish to run the file.

Microsoft Office will also check for a Mark-of-the-Web, and if found, open the document in Protected View, warning that the document can contain viruses.

Word document opened in Protected View
Word document opened in Protected View

However, if you have ever managed Windows devices, you will know that these warnings are commonly ignored, leading to a device becoming infected and a network becoming compromised.

Blocking macros in Internet documents

Since 2016, Microsoft has had a Microsoft Office group policy called ‘Block macros from running Office files from the Internet that will automatically prevent macros from running on documents containing a ‘Mark-of-the-Web.’

While not as pretty as the new feature that Microsoft rolled back, it performs the same functionality of blocking macros on all downloaded Office documents.

To enable this policy, you can download and install the Microsoft Office group policies and configure the ‘Block macros from running Office files from the Internet’ policy for each application you would like to secure.

These policies are located under User Configuration > Administrative Templates > [Office Application] > [Office Application] Options > Security Trust Center, as shown below.

Microsoft Word group policies
Microsoft Word group policies
Source: BleepingComputer

To automatically block macros in Microsoft Office files downloaded from the Internet, navigate to the ‘Block macros from running Office files from the Internet’ policy for the application you want to secure and set the policy to Enabled.

Also Read: How To Comply With PDPA: A Checklist For Businesses

Block macros from running Office files from the Internet group policy
Source: BleepingComputer

Once this policy is enabled, a new Registry value named ‘blockcontentexecutionfrominternet‘ will be set to ‘1‘ under the HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\[office version]\[office application]\security key.

For example, when configuring this policy for Microsoft Word, Windows will create the following Registry value:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\16.0\word\security]
“blockcontentexecutionfrominternet”=dword:00000001

With this policy enabled, when you attempt to open a Word document with macros that were downloaded from the Internet and enable macros, and you disabled Protected View, you will see a warning stating, “BLOCKED CONTENT Macros in this document have been disabled by your enterprise administrator for security reasons.”

Microsoft Office group policies blocking macros
Microsoft Office group policies blocking macros
Source: BleepingComputer

If you trust this document and know it is safe, you can remove the Mark-of-the-Web by going into the file’s properties, clicking the Unblock button in the security section, and then press the Apply button, as shown below.

File property indicator for the Mark-of-the-Web
Unblocking a file downloaded from the Internet
Source: BleepingComputer

Once you Unblock the file, or remove its Mark-of-the-Web, macros can once again be executed when you open that particular document.

It needs to be reiterated that you should only remove the Mark-of-the-Web from documents you know are 100% trustworthy.

With this policy, you can now achieve the same level of protection as Microsoft’s rolled-back feature. Furthermore, if your organization has a problem blocking all Macros, it is possible to configure ‘Trusted Locations’ where users can save documents and not have macros blocked.

Microsoft also provides various documentation on configuring this policy and creating Trusted Locations, which are recommended to be read by all Windows admins.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us