It is a sandboxed environment that lets a user read the contents of a document. Protected View is a feature that has been available in Word, Excel, and PowerPoint since Office 2010. When James opens the Word document, it opens in Protected View. The email has content designed to pique James’s interest and influence him to open the attachment. James receives an email from Stewart in his inbox that has an attached Word document. He launches his attack campaign against Contoso by targeting James, an employee there. Stewart uses macro-based malware because he’s had recent successes using it. Stewart is a cybercriminal looking to attack and penetrate the Contoso network.
Ms word grouping objects update#
After a rash of macro-based malware attacks targeting her organization, she learns of this new feature in Office 2016 and has rolled out a Group Policy update to all Office clients on the network. Let’s walk through a common attack scenario and see this feature in action.Ĭlaudia is an enterprise administrator at Contoso.
In response to the growing trend of macro-based threats, we’ve introduced a new, tactical feature in Office 2016 that can help enterprise administrators prevent the risk from macros in certain high risk scenarios. Previous versions of Office include a warning when opening documents that contain macros, but malware authors have become more resilient in their social engineering tactics, luring users to enable macros in good faith and ending up infected. The enduring appeal for macro-based malware appears to rely on a victim’s likelihood to enable macros. To learn more about Advanced Threat Protection and other security features in Office 365, check out this blog and video. Note these are detections and not necessarily successful infections. In the enterprise, recent data from our Office 365 Advanced Threat Protection service indicates 98% of Office-targeted threats use macros. We featured macro-based malware in our Threat Intelligence report last year, but infections are still increasing.ĭespite periodic lulls, infections for the top 20 most detected macro-based malware were high over the past three months. Macro-based malware infection is still increasing To help counter this threat, we are releasing a new feature in Office 2016 that blocks macros from loading in certain high-risk scenarios. Macro-based malware is on the rise and we understand it is a frustrating experience for everyone. Office VBA + AMSI: Parting the veil on malicious macros
This is part of our continued efforts to tackle entire classes of threats. Office 365 client applications now integrate with AMSI, enabling antivirus and other security solutions to scan macros and other scripts at runtime to check for malicious behavior.