In the interest of fighting ransomware and other malware, Microsoft is planning a major change to how the Office software handles macros: when files that use macros are downloaded from the Internet, those macros will now be completely disabled by default. Current versions of the software offer a warning banner for clickable files of this type, but the new version of the banner does not offer the ability to enable macros.
The preview of the change will begin in April with the Office 2203 release, and then starting in June it will be available to all users of the Microsoft 365 Office Continuously Updated version. This change will also be enabled for all currently supported standalone versions of Office, including 2021, 2019, 2016, and 2013 versions. Mac, iOS, Android, and Office web versions will not be affected.
Office can keep track of which macros were downloaded from the Internet or from a network share using the Zone.Identifier tag, at least when the file is saved to an NTFS volume. This so-called “network label”(MOTW) is already in use in Office – if you’ve ever loaded a document or spreadsheet and were notified that editing is disabled by default, thank MOTW. When Office sees a web stamp tag, it opens the file in read-only Protected View in case the file is malicious.
If users really want to, they can still use these macros with relative ease. Open the properties of any file downloaded from the internet and you can click on the “unblock”button which will remove the “mark online”tag. As with many other security improvements, this change isn’t so much about making something impossible as it is about installing ankle-high fences to protect users from accidental clicks or simple mistakes.
Organizations that use macros will also be able to change this setting through Group Policy. Organizations can do this by placing macro files in Trusted Locations or digitally signing their macros.