‘High Risk’ Microsoft Office Macro Security Control Bypassed With Zero Code - Just Drag and Drop

Flash back to March, 2016 - Microsoft introduced a ‘new feature’ in Office 2016 which would block macros in documents from the Internet. This feature was critical enough they back ported it to Office 2013.

Per their blog (link below) announcing the new feature:

"Macro-based malware is on the rise and we understand it is a frustrating experience for everyone. To help counter this threat, we are releasing a new feature in Office 2016 that blocks macros from loading in certain high-risk scenarios."

So Office documents from the Internet with macros are considered ‘High-risk scenarios’.   Noted.

Microsofts blog went on to say this:

“In the enterprise, recent data from our Office 365 Advanced Threat Protection service indicates 98% of Office-targeted threats use macros.”

98% of Office-targeted threats use macros..  Let’s note that to.

Fast forward to 2 months ago, ironically also in March - Brady, Laura, Jennifer and I were validating our security controls around Office documents with macros and one of our team members, Laura, wasn’t seeing the ‘BLOCKED CONTENT’ notice in a document sent from the Internet.   Not cool Microsoft.    

Each of the other team members who also received that same Office document, from the same external sender, did get the ‘BLOCKED CONTENT’ notice.

We then confirmed the following registry key was set on all systems, including Lauras.

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\16.0\powerpoint\security DWORD: blockcontentexecutionfrominternet Value = 1

Definitely not cool.

So, how did that ‘new feature’ specifically designed for ‘high-risk scenarios’ get bypassed?

Well, Laura simply dragged the document from Outlook to her desktop and opened it. Yep.. Drag-n-drop is all it took.

We had no idea how many of our employees also drag and drop documents from Outlook and no idea how we could detect it to know how widespread the issue is.

We notified Microsoft that same day of the vulnerability in what they previously described as one of their ‘high-risk security features’.

For the last two months they kept us updated on the status of the fix. Repeatedly telling us how they had again ‘escalated it’ to additional engineering teams.

A couple days ago they pulled an ‘Office 180’ and told us this -- verbatim:

“After their review, it was determined a fix will not be released for the reported behavior.

The issue is related to known behaviors where files may lose the Mark-of-the-Web (MotW) in certain senarios.”

What? So what you’re saying Microsoft is either your Office applications and/or your Operating System(s) ‘lose’ track of a file and forget it came from the Internet?

Correct me if I am wrong Microsoft, I’m pretty sure you called an Office document with macros from the Internet a ‘high-risk scenario’.. Right?

Let that sink in........ If you have the 'Block Content Execution from Internet' setting enabled does not mean your Office Apps will always 'Block Content Execution, i.e. malicious macros, from the Internet'. True story.

Just when it looked like Microsoft was taking security seriously they now decide to close the case on fixing a known issue dealing with high-risk Office documents with macros from the Internet.

Then again, Microsoft also recently announced at their recent Build conference a new 'feature' to execute custom javascript in Excel.. So there’s that…

====================================================

Reference

https://cloudblogs.microsoft.com/microsoftsecure/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/ 

As an FYI, Microsoft is fully aware of this vulnerability disclosure.

All product names, logos, and brands are property of their respective owners. All company, product and service names used in this article are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.