Part 3 of our comprehensive Essential Eight cybersecurity series for Australian businesses.
The Macro Threat Landscape
Microsoft Office macros have been a favourite tool for attackers for decades—and for good reason. They offer a powerful way to automate tasks, but that same power makes them an ideal vehicle for malicious code delivery.
In our [previous article](/blog/essential-eight-patch-applications), we covered keeping applications patched. Now we turn to configuring those applications securely—starting with Microsoft Office macro settings.
What Are Macros and Why Are They Dangerous?
Macros are small programs written in Visual Basic for Applications (VBA) that automate repetitive tasks in Microsoft Office applications. While legitimate macros improve productivity, malicious macros can:
- ▸Download and execute malware from the internet
- ▸Steal credentials and sensitive data
- ▸Establish persistent backdoors for attackers
- ▸Spread laterally across your network
- ▸Deploy ransomware that encrypts your files
The Attack Chain
A typical macro-based attack follows this pattern:
- 1.Delivery: User receives email with Office document attachment
- 2.Social Engineering: Document urges user to "Enable Content" or "Enable Macros"
- 3.Execution: User enables macros, malicious code runs
- 4.Payload: Malware downloads additional tools or begins malicious activity
- 5.Impact: Data theft, ransomware deployment, or network compromise
ACSC Recommendations for Macro Configuration
The Australian Cyber Security Centre provides clear guidance for configuring Office macros:
Maturity Level One
- ▸Block macros from the internet
- ▸Disable macros for users who don't require them
- ▸Log macro execution events
Maturity Level Two
- ▸Block all macros except those in trusted locations
- ▸Implement signed macro requirements for trusted locations
- ▸Antivirus scanning of macro-enabled documents
Maturity Level Three
- ▸Block all macros except digitally signed by trusted publishers
- ▸Centralized management and monitoring
- ▸Advanced logging and alerting
Implementation Guide
Step 1: Assess Macro Usage
Before restricting macros, understand current usage in your organization:
- ▸Survey business units to identify legitimate macro requirements
- ▸Audit existing macros to catalog business-critical automation
- ▸Identify alternatives such as Power Automate or Python scripts
Step 2: Configure Group Policy Settings
For Windows environments, use Group Policy to enforce macro settings:
Key Policies (Administrative Templates > Microsoft Office):
- ▸`VBA Macro Notification Settings`: Set to "Disable all with notification" or stricter
- ▸`Block macros from running in Office files from the Internet`: Enable
- ▸`Macro Runtime Scan Scope`: Enable for all documents
- ▸`Trust access to the VBA project object model`: Disable
Step 3: Implement Trusted Locations
For legitimate business macros:
- ▸Create network shares for approved macro-enabled documents
- ▸Configure these as Trusted Locations in Group Policy
- ▸Implement access controls on Trusted Location folders
- ▸Establish approval process for adding new macros
Step 4: Code Signing Infrastructure
For Maturity Level Three:
- ▸Deploy a code signing certificate for macro developers
- ▸Establish procedures for signing approved macros
- ▸Configure Office to only run macros signed by trusted publishers
- ▸Maintain certificate lifecycle management
Communicating with Users
Macro restrictions may impact some users. Prepare them:
- ▸Explain the security rationale in business terms
- ▸Provide clear procedures for requesting macro approval
- ▸Offer training on alternatives where available
- ▸Set expectations for approval timelines
Monitoring and Enforcement
Track macro activity across your environment:
- ▸Enable Windows Event Logging for Office applications
- ▸Forward logs to your SIEM for analysis
- ▸Alert on macro execution attempts
- ▸Review blocked macro reports regularly
Next Steps
Macro configuration is critical, but it's part of a broader application security strategy. In our next article, we'll explore User Application Hardening—reducing the attack surface of everyday applications.
Need help securing Microsoft Office in your organization? Cloudscape IT specializes in Microsoft 365 security configuration for Australian businesses. Contact us for a security assessment.
---
This article is part of our Essential Eight cybersecurity series.
