What you need to know
- Microsoft will not block VBA macros by default in downloaded Office documents.
- The company has tested a default block for VBA macros since April 2022, but decided against rolling it out to general users.
- VBA macros present a security risk because they can be used to as part of malware and phishing attacks.
Despite testing a block on VBA macros since April 2022, Microsoft will not block these types of files by default in Office documents. Back in spring, Microsoft started rolling out a change to the Current Channel of Office that prevented downloading VBA macros by default. This was done in the name of security since these types of files can be used in malware and phishing attacks. Now, it appears that Microsoft is changing course.
Microsoft stated that it decided against rolling out the change due to feedback.
"Based on feedback, we’re rolling back this change from Current Channel production. We appreciate the feedback we’ve received so far, and we’re working to make improvements in this experience," said Microsoft's Wenjun Gong in a Tech Community post. "We’ll provide another update when we’re ready to release again to Current Channel. Thank you."
Based on Gong's comment, it seems likely that Microsoft will implement a similar change at some point in the future.
Some in the comments section of that post were critical of Microsoft rolling back the change without notice. "Rolling back a recently implemented change in default behaviour without at least announcing the rollback is about to happen is very poor product management," said vincehardwick.
The change was set to ship to general users in June 2022, but Microsoft rolled it back before that happened.
VBA macros are commonly used in phishing scams and in efforts to get malware onto PCs. In attacks, unsuspecting victims see a macro attached to a document. If opened, the macro then places whatever it wants to onto a system, such as malware.
