Microsoft adds macro blocker to Office 2013 to stymie old-school attackers

Admins can take users out of the equation with feature ported from Office 2016

Microsoft yesterday said that it had added a malware-in-macros blocker to Office 2013 after customers demanded that it expand the feature beyond the latest version, Office 2016.

"The predominant customer request we received was for this feature to be added to Office 2013," the Microsoft Malware Protection Center team wrote in an unsigned blog post Wednesday.

IT administrators have been able to block macros from running in Office 2016 since March. Enterprise IT staff can craft group policies to restrict macros, completely block them, or amplify the warnings users normally see before a macro is opened.

The same capability was extended to Office 2013 last month, Microsoft said.

As Microsoft contended, users had called on the company to bring the feature to other editions. "Great feature, now how about for older versions of Office?" asked Jarrod Morago in a March comment appended to the original explanation of the feature in Office 2016.

"This should get added to Office 2013 as well," argued someone identified only as Todd. "That would be a goodwill gesture that would go a long way in organizations that are often behind, such as health care."

The group policy blockade was a response to an increase in malware that relied on users enabling macros within Word, Excel or PowerPoint. "Malware authors have become more resilient in their social engineering tactics, luring users to enable macros in good faith and ending up infected," Microsoft said.

Malicious macros were once a popular infection vector, but as Microsoft tightened the screws in Office, the technique became outmoded. In the last two years, however, the threat resurfaced as attackers created ever-more-convincing appeals to open attached Office documents and switch on macros.

Microsoft will support Office 2013 until April 11, 2023, but its predecessor, Office 2010, drops off the support list in October 2020. Because the latter is in its last five years of support, and because Microsoft is not obligated to add new features during that period, it's unlikely that admin-based blocking will also be extended to Office 2010.