1 min

Microsoft is modifying Office to protect users against malware. Macros downloaded from the Internet will be automatically blocked in Office.

Currently, files stored on NTFS volumes are scanned for malicious macros through a ‘Zone.Identifier’ tag. This so-called ‘mark-of-the-web’ (MOTW) ensures that file changes are disabled by default. If MOTW is detected, the file is opened in a read-only mode. However, at this time, opening files through the banner will still allow edits. An upcoming change removes the latter. Read-only mode becomes truly default, reducing the risk of unknowingly activating malicious macros.

Workaround possible

Office files containing legit internet macros will still be editable. Microsoft’s measure is only intended to make it more difficult for cybercriminals to penetrate systems.

Read-only modes can be circumvented by opening file properties and clicking the ‘unlock’ button. This will remove the MOTW, which prompts Office to flag the file as a normal file. Group Policy allows property editing on a large scale.

Almost all Office versions covered

The new security feature will be available via a preview in Office v2203, which is expected in April. The feature will be pushed through live Microsoft 365 updates starting in June. Office versions 2021, 2019, 2016 and 2013 are being updated as well. The macOS, iOS, Android and web versions will have to do without.