If you are an advanced user of Microsoft Office, you should know VBA macros. Macros power many business automation in Office and are the precursor to more modern solutions like Power Automate, which help automate repetitive tasks.
But because they’re so common and so easy to write, they’ve also become a vehicle for bad actors to deliver malicious attacks, sending “useful” macros to business users and then unknowingly bringing convenience while also introducing Malware, identity breaches, data loss, and remote access.
To help change that, today Microsoft announced that VBA macros obtained from the Internet will now be blocked by default:
This change only affects Office on devices running Windows, and only affects the following applications. Access, Excel, PowerPoint, Visio, and Word. This change will begin rolling out in version 2203, starting from the current version in early April 2022.
Channel (preview) begins. After that, the change will be available in other update channels such as the Current Channel, Monthly Enterprise Channel, and Semi-Annual Enterprise Channel.
We also plan to make this change for Office LTSC, Office 2021, Office 2019, Office 2016 and Office 2013 at a future date to be determined.
Office programs will no longer have these potentially harmful macros enabled by default, but instead display a security risk warning with a link to learn more.
Microsoft enables businesses to manage policies that block macros from the Internet from running in Office and advises users to only open files from trusted locations and/or digitally signed files. Office administrators can learn more from this Microsoft Docs page.
While VBA macros are still useful and powerful tools, it’s never a good idea to run untrusted macros obtained from the internet, and it’s great to see Microsoft taking action to prevent this common security breach.