Microsoft recently announced plans to change the default setting in Office 365 in April 2022. The update is designed to help improve protection against hackers.
However, it’s expected that the next Microsoft 365 security update settings will be imposed by default – and that may have an impact on your network.
The latest security update will disable and define which code is permitted on the system. Most significantly, Microsoft will disable Visual Basic for Applications (VBA) macros by default. This will restrict genuine cases for documents that contain VBA macros.
For example, if you offer free Word-based pdfs for your users to download as a marketing tool to capture email addresses, the visitors to your website that are using Windows will be blocked from downloading your material.
This is not the first time a Microsoft macro settings update has created havoc. If you were among the thousands of users that experienced issues with the macro update in Excel last year, you know what we mean!
Whilst your business needs third-party software to support your unique operations strategy, sometimes compromises need to be made for the sake of IT security.
Microsoft is also putting in defences to thwart “living off the land (LOL) attacks.” These types of attacks use your existing legitimate tools – such as dropping malicious attachments in Microsoft Team chats which we reported last week.
It appears as though Microsoft is encouraging 365 users to move away from the Windows Management Instrumentation Command (WMIC) tool and adopt Windows PowerShell instead.
While the shift to PowerShell won’t stop attacks, it does add an extra layer of security that makes it that little bit harder for attackers to infiltrate your IT system.
What is Windows PowerShell?
PowerShell is a cross-platform solution that boasts several features designed to improve the security of your scripting environment. Script Block Logging enables you to identify non-native code that shouldn’t be there.
That means that hackers have to bring new code into your system which they can do through macros or malicious files in phishing attacks. Providing your staff is trained to spot cyber threats, it’s much harder for threat actors to exploit a computer system.
In recent years, hackers have been developing techniques to exploit existing files and tools. However, to do this, they have to compromise a computer and avoid detection controls.
With the relevant tools in place, all you need to do is know how to use them. We still have to wait to see how Microsoft executes the upcoming security update next month, but we have outlined the most likely scenarios below.
Microsoft 365 Update: Manage Your Macros
According to National Cyber Security Centre, macros are the most prevalent form of attack against Microsoft 365 users. Macros can be written by threat actors to bypass security defences and either gain access to a network or otherwise harm a system.
Malicious macros are just as harmful as any other type of malware. They can steal data, disrupt your system or emulate ransomware.
To prevent users from downloading malicious macros, any files you attempt to download from the internet that contains macros will be automatically blocked.
Users should expect to see a security risk message appearing on their screen that reads: “Microsoft has blocked macros from running because the source of this file is untrusted.”
This will mean that Microsoft 365 subscribers using Access, Excel, PowerPoint, Visio, and Word running on the Windows operating system will not be able to download or access content from other websites. This means some of your customers or prospects won’t be able to access your content.
Microsoft recommends:
“Work with the business units in your organisation that use macros in their Office files, such as the Finance department, and with independent software vendors (ISVs) that you rely on who make use of macros in Office files.
Microsoft Credential Guard
Microsoft is floating the idea about automatically enabling Credential Guard for Windows Enterprise and E5 licensees. Credential Guard uses virtualisation-based security to isolate Local Security Authority (LSA) used by the operating system’s processing memory.
The LSA process uses a subset of binaries signed with a certificate and are “needed for security and nothing else.” This way the binaries are trusted by the Credential Guard tool and protect Enterprise E5 licensed machines from falling victim to nefarious acts.
Mark Your Macros
Enabling macros by default will prevent users from downloading macro-based templates from around the web. However, they will also prevent 365 users from opening existing documents that contain macros.
To avoid employees being restricted from opening documents they need, you will need to mark these documents as trusted by removing the “mark of the web” from the files.
Also, evaluate other macro settings using Intune with Azure Active Directory or Group Policy with Active Directory. You will need to do the following:
Disable settings that prevent you from accessing VBA macros. This will remove Microsoft’s security warning.
Block VBA macros from running in Word, Excel, PowerPoint, Access and Visio files from the Internet
Change how automated VBA macros behave in applications.
Microsoft 365 Security Specialists
We appreciate software updates can be disruptive, confusing and frustrating – even for experienced IT professionals. Cloud software is a specialist area. If your IT team does not have experience with cloud computing and the security measures involved, there is a higher risk of making a mistake.e
It’s worth bearing in mind that misconfigured cloud settings are among the leading causes of data breaches. According to BitDefender, 80% of companies that suffered a successful attack left a gateway open because of an error with the cloud configuration.
Don’t risk business disruptions following Microsoft’s next security update. And certainly don’t risk leaving your business network exposed for threat actors to exploit.
Our teams of Microsoft 365 specialists in Surrey have worked with cloud computers for several years now and can help to avoid your IT team pulling their hair out. More importantly, we can help to ensure your cybersecurity defences are as strong as possible.