Implementing the ACSC Essential 8 Maturity Model. Mitigation Strategy 3: Configure Microsoft Office Macros

What are Microsoft Office Macros?

Microsoft macros are hugely helpful in corporate environments. For example, if there is a task, say, a report, that needs to be done in a certain way again and again, why not automate it? Microsoft macros allow you to do this by recording steps or writing code to automate this action. It helps save time and could be more accurate since computers are better at repeating tasks than humans. Microsoft Office macros can be run from Microsoft Access, Microsoft Excel, Microsoft Outlook, Microsoft PowerPoint, Microsoft Project, Microsoft Publisher, Microsoft Visio and Microsoft Word, so these applications need to be secured.

Unfortunately, while they are valuable and prolific in the business environment, threat actors are aware of this; hence it becomes a key target. Threat actors are pretty creative. Instead of using these macros to streamline business processes, because there is code in them, they can code them to execute malicious code on unsuspecting users. Delivery methods can include email and downloads from websites in something that is disguised as useful but, in fact, malicious when executed.

Therefore, Microsoft Macros must be managed and configured to prevent the execution of malicious code.

Why are Microsoft Office Macros important?

If you’ve been following the series, we take a human-centred approach towards Essential 8 and each migration strategy. Here is how we do it for Microsoft macros.

👩‍💼Business users

• I want to automate my repetitive task and make them quicker and more accurate
• I am familiar with Microsoft macros because I use them in my daily tasks
• I sometimes look online to see if there are any macros I can download and use
• I get emails with documents on them
• I see the macro popup when I open Microsoft Office applications, but I see it all the time, and its annoying, so I just click enable
• I don’t know if macros are malicious or not

✅Risk managers

• I want to minimise the risk by limiting the use of macros
• I use some macros to help automate some of my risk assessments

👩‍💻IT users

• I don’t know what macros are being used by business users and whether they are business critical
• I don’t know the macros business users may be downloading from the internet
• I know files from the internet or sent through emails can contain malicious macros

😈Threat actors

• I know many organisations use macros for business purposes
• I want to deliver my files to as many users as possible to increase the chances of someone enabling my macro
• I want to deliver my files in the cheapest and faster way possible to increase my net profit
• I try to disguise my macros as much as possible so people will enable them

Maturity Level 1: Microsoft Office Macros

Microsoft Office macros are disabled for users that do not have a demonstrated business requirement.

As mentioned, macros in the wrong hands can be dangerous.

Essential 8 understands that users are unaware of which macros are malicious and which are not. Therefore, to prevent malicious Microsoft Office macros from running in the first place, Essential 8 wants you to disable macros unless you have demonstrated a business requirement.

To implement this, Microsoft Attack Surface Reduction rules are your friend here. Additionally, your organisation should have a clear process for users who have a demonstrated business requirement, and it should be reviewed, to as access may no longer be required.

Microsoft Office macros in files originating from the internet are blocked.

While there are a lot of good macros out there helping and teaching our business users what to do on the internet, there are also malicious ones.

Unless we trust macros, we should not allow them to run. If you picked up a USB off the street, would you stick it in your computer? Or would you think twice? Macros from the internet are the same. Make sure your users are aware of why before blocking them.

This requirement is another of Microsoft's Attack Surface Reduction rules which can be easily implemented. Make sure changes are communicated; you would not want hundreds of business users tapping on your door.

Microsoft Office macro antivirus scanning is enabled.

Macros can contain malicious code, so why would you not want your antivirus solution to scan it first? Like any other file on your system, it should be scanned for viruses before you run it. Who knows, an insider might have put something malicious into it. Either way, scanning for viruses before opening is prudent and has low user impact as most users understand what a virus scan is.

Yet another easy-to-implement Microsoft Attack Surface Reduction rule. Try opening a file with a macro. It should show it is scanning in the message bar before allowing you to open the file.

Microsoft Office macro security settings cannot be changed by users.

Resourceful and tech-savvy users may want to run these macros despite being blocked. They may have heard how helpful a macro is and want to run it. They could go into Microsoft office security settings to enable the macros themselves. Therefore, these settings must be centrally managed.

Yet another easy-to-implement Microsoft Attack Surface Reduction rule. To check, Microsoft Office macro security settings should appear greyed out.

Maturity Level 2: Microsoft Office Macros

Microsoft Office macros are blocked from making Win32 API calls.

Most business users don’t even know what a Win32 call is, let alone how to use it. Threat actors, on the other hand, know that Microsoft Office VBA can enable Win32 API calls to run malicious code more powerful than Microsoft Office VBA language. 

If your organisation does not need your office applications to make Win32 API calls, block them. Why are Microsoft office macros allowed to make Win32 API calls in the first place? We have yet to see many organisations using this, so best to block it.

Microsoft Attack Surface reduction rules for Win32 API calls can help you block Microsoft Office macros from making Win32 API calls.

Allowed and blocked Microsoft Office macro execution events are logged.

Logging is always essential. If we want to empathise with our users, one way to do this is to hear what they say and see what they do.

At maturity level 2, we need to store the logs to record allowed and blocked Microsoft Office macros execution events. Logs could be helpful for future forensics or analysis, should it be required. Later, we will need the capability to centralise and monitor our logs.

Maturity Level 3: Microsoft Office Macros

Only Microsoft Office macros running from within a sandboxed environment, a Trusted Location or that are digitally signed by a trusted publisher are allowed to execute.

Now that we’ve established that Microsoft Office macros can be dangerous and have prevented users from using them from untrusted sources and limited the capabilities of Microsoft Office macros, it’s time to take it to the next level.

Not only must users have a business requirement to run macros, they can now only run macros from a sandboxed environment, a Trusted location or one that a trusted publisher digitally signs. 
To implement, a Trusted Location can be configured with your conditional access rules, while a trusted publisher must be certified by Microsoft. In addition, your organisation may create its macros and digitally sign them to add to a trusted list.

This requirement can be challenging to implement as it would mean IT departments are now responsible for all macros within the business. Therefore, proper policy and procedural updates are required to manage Microsoft Office macros successfully.

Only privileged users responsible for validating that Microsoft Office macros are free of malicious code can write to and modify content within Trusted Locations.

Trusted locations are, as it suggests, is trusted. If anyone can create, update and delete these files, it defeats the purpose of being a Trusted location. Since all files in Trusted Locations can bypass security, this highly sensitive area must be controlled.

Privileged user permissions can be managed via Group Policy Object settings.

Microsoft Office macros digitally signed by an untrusted publisher cannot be enabled via the Message Bar or Backstage View.

Again, we want to continue the work we have implemented to stop users from running untrusted Microsoft Office files.

Ever see that message bar popup when you open a Word or Excel document with the ‘enable’ button on it? Another way to enable macros is via Backstage View, as seen below.

Disable these through your Group Policy Object settings.

Microsoft Office’s list of trusted publishers is validated on an annual or more frequent basis.

People come and go. Business environments change. A trusted publisher may no longer be around, or the business no longer needs that macro. But, like all lists, they need to be maintained and updated. 

Keep a record of your organisation’s trusted publishers and review them at least annually.

Allowed and blocked Microsoft Office macro execution events are centrally logged.

Again, to achieve Maturity Level 3, it is clear that you must have a SIEM solution to centralise your logs.

Ingest your logs into your SIEM solution and set storage limits in alignment with your business continuity rules.

Event logs are protected from unauthorised modification and deletion.

Logs should always be protected. In the event of a malicious attack and you need to perform forensics, you want to ensure they are still there to look at and their integrity is intact. Whether you store these logs or use a managed service provider like CyberOxide's SOC, it is good to check how your logs are protected.

Event logs are monitored for signs of compromise and actioned when any signs of compromise are detected.

More is needed to collect and protect your logs. Maturity Level 3 requires someone to monitor your logs for signs of compromise. Although it would be great to monitor allowed and blocked Microsoft Office Macros, this requirement is only for monitoring log compromises.

Concluding Microsoft Office Macros

Essential 8 was designed for Microsoft-based organisations. This is because most government organisations and corporate businesses use Microsoft products. An essential mitigation strategy to configure Microsoft Office macros is a clear indication of its Microsoft origins.

We found out that Microsoft Office macros can be helpful but also dangerous. Mitigation Strategy 3: Configure Microsoft Office macros, which seek to prevent users from running macros that could be malicious. It does this by limiting what macros can be run, who can run them and how it is managed to control macros. With every increase in maturity level, the limitations and controls become more onerous.

Thankfully, Microsoft is aware of these dangers and has made it easy to implement attack surface reduction rules technically. To succeed here, communication, awareness and process redesign are essential to ensure it works within your organisation.

Where to Next?

Configure your organisation’s Microsoft Office macros! Accelerate your Essential 8 program and reach out to a CyberOxide Specialist to help uplift and assess your Essential 8 Mitigation Strategy 3: Configure Microsoft Office Macros.

Continue learning about Essential 8 with our next article on Essential 8 Mitigation Strategy 4: User Application Hardening.

Continue with our Essential 8 series

Overview:

• Exploring the Origins and Significance of the Essential 8

8 Essential Mitigation Strategies:

1. Application Control
2. Patch Applications
3. Configure Microsoft Macros
4. User Application Hardening
5. Restrict Admin Privileges
6. Patch Operating Systems
7. Multifactor Authentication
8. Regular Backups

Adoption:

• Navigating Cybersecurity Excellence: The Essential Eight Meets Prosci's OCM Approach

Looking to accelerate your Essential Eight implementation?

Learn about our Essential 8 Accelerator or simply contact a CyberOxide specialist to find how we can help you.