Today we’re looking at the third of the Essential Eight mitigation strategies, ‘Configure Macro Settings’. This follows on from our articles on ‘Application Control‘ and ‘Patch Applications‘.
Configuring macros – your Microsoft 365 applications are an integral part of your day-to-day business operations, and macros are handy in further streamlining your use of these.
As with most things of value in the workplace, macros present a valuable target to hackers. If you don’t manage your macros correctly, they could use them to execute malicious code into your system.
If you’re feeling in the dark about macros, what they are and why they can be a cybersecurity risk, Smile IT is here to shine a light on it all for you! Keep reading and you’ll soon have all the info.
What Are Macros in Microsoft 365?
Macros are a piece of code built into Microsoft 365 applications. They’re designed to automate repetitive tasks, like calculations, formatting, or data entry. In this way, they’re extremely helpful in busy corporate environments.
In the wrong hands however, they’re a backdoor into your system.
You see, cyber attackers often hide malicious code inside macros. They’ll email you a legitimate-looking invoice, report, or resume. You open it, enable macros and unknowingly run their malware on your machine.
Why Macro-Based Attacks Still Work
You’d think this would be old news by now, but macro-based attacks are still common because they’re simple, effective, and rely on human trust. Many people don’t know that enabling macros can run code in the background. It only takes one click for ransomware or spyware to slip in.
This is why configuring macro settings properly is so important, and why the Australian Cyber Security Centre recognise it as one of the Essential Eight strategies for enhanced cyber security. It’s about putting guardrails in place so that one click doesn’t cost you your business.
Best Practices for Safe Macro Use
According to the ACSC, macros in Microsoft Office should be disabled by default, unless a user can demonstrate a specific need for them. You don’t have to ban macros completely, but you do need clear rules on how they are implemented in your organisation. Here’s what works well:
- Set Policies Centrally
Use Group Policy Objects (GPOs) or your endpoint manager to enforce macro settings across every user and device. This stops accidental or unauthorised changes.
- Block Macros in Files from the Internet
Modern Office versions can do this automatically. If a document comes from email or a download, macros won’t run unless you specifically allow them.
- Use Signed Macros
Allow only macros that have a valid digital signature from a trusted publisher. Anything unsigned should be blocked.
- Educate Your Team
Make sure your staff know why they shouldn’t enable macros in random documents. A simple training session or quick email reminder can save you a lot of trouble.
- Monitor and Review
Regularly audit macro usage. If someone keeps getting blocked trying to run dodgy macros, it’s worth investigating.
Configuring Macros and Essential Eight Maturity Levels
The Essential Eight has four maturity levels that indicate how well your organisation is applying the mitigation strategies it recommends. Level 0 indicates no formal procedures or processes in place, while levels 1 to 3 show an increasing adoption of the Essential Eight strategies. The image below sums up the four levels.
Here’s how configuring macro settings looks for the four maturity levels:
Level 0
At this level, your business has significant gaps in macro security settings. This leaves you wide open hackers using macros to breach your cyber defences.
Maturity Level 1
- Macros are switched off for anyone who doesn’t clearly need them for their work.
- Any files that come from the internet won’t run macros by default.
- Antivirus scanning for Office macros is turned on to catch known threats.
- Only authorised IT admins can adjust macro settings.
Maturity Level 2
- Everything from Level 1 stays in place.
- On top of that, macros are prevented from making direct system-level calls through the Win32 API, cutting off another attack route.
- Macro security settings in Microsoft 365 are locked so only trusted admins can change them.
- Every time a macro runs, or is blocked, it’s logged so there’s an audit trail if something goes wrong.
Maturity Level 3
- Builds on Levels 1 and 2.
- Only macros that run in a sandbox, come from a secure, trusted folder, or are digitally signed by a verified publisher are allowed to run.
- Only authorised team members can write or edit macros in those trusted folders, and they must check that everything is safe and clean.
- Macros signed by unknown publishers can’t be enabled from pop-ups or backstage areas in Office.
- The list of trusted macro publishers in Microsoft 365 is reviewed at least once a year, if not more often.
- All macro activity, allowed or blocked, is centrally recorded, protected from tampering, and watched closely for any suspicious behaviour. If a threat pops up, it’s acted on straight away.
Making the Essential Eight Simple with Smile IT
At Smile IT, we help businesses align with the Essential Eight, forming a solid foundation to their cyber defences and helping them stay compliant with the rules and regulations in their industry. This includes locking down their macro settings without causing headaches for staff who genuinely need them. Macro malware has been around for decades. It’s not going anywhere soon. But with the right configuration, you can close that door to attackers. It’s another layer in your defences and we’re here to help you set it up properly.
If you’re unsure whether your current macro policies are up to scratch, let’s have a chat. Smile IT can help you tighten them up and build a more robust line of defence. We’re here to help you cover all eight strategies in the Essential Eight.
When he’s not writing tech articles or turning IT startups into established and consistent managed service providers, Peter Drummond can be found kitesurfing on the Gold Coast or hanging out with his family!