IT Security: how to protect yourself from Excel macro virus attacks

Excel Macro Security protects your computer from viruses that may be transmitted to your computer via Excel macros.

Macro security changed significantly between Excel 2003 and Excel 2007.

In this article let's see together how to best protect yourself from possible Excel macro attacks.

What is macro attack

A macro attack is a case of malicious code injection, script-based attack which comes as a macro instruction inside a seemingly safe file. Hackers perform these attacks by embedding a malware download script (most often) into documents that support macros. The malicious application of macros it is based on the human vulnerability of ignorance and carelessness . There are several characteristics of macro attacks that make them particularly dangerous. However, there are also effective solutions to prevent such attacks.

What are Macros?

Macros are commands used in many applications to automate routine processes and significantly expand the range of use of the program. 

There are many functions you can perform on data in Excel. By creating and running a macro, you can list a series of commands to describe a frequently repeated procedure and perform them effortlessly, saving a lot of time. Macros allow you to direct external resources to analyze data from other files on your computer or even network access to download items from remote servers.

How does the Macro Virus ?

The simplest way to conduct a macro attack is to embed a download script in a harmless-looking file. Modern hacking prefers steal information from you to sell them, encrypt your data for extort a ransom o leverage your endpoint in other ways to their advantage. All these scenarios involve the injection of foreign software into the system. And macros are great at this.

What makes macro attacks particularly dangerous?

Macro attacks are a nuisance for security teams, as they possess certain properties that make them difficult to track and difficult to prevent from spreading.

• Easy to spread. Macros work on different operating systems. When they land on a car, they can spread similarly computer viruses and Internet worms. The macro can contain commands to modify other files and even file templates. This makes any file created on the infected machine a threat. For example, macros can also establish a network connection to spread malicious files via email.
• It can be fileless. Malefactors can write macros so that there is no trace of their presence on the computer's hard drive or any other storage device. It makes macro attacks a real instance of a fileless attack whose code exists only in RAM, not on the victim machine's drive (as a file or in any other form).
• Easy to blur. There are many algorithms for obfuscating macro code. Obfuscation isn't coding, it's a much simpler procedure, but it's also enough to make the text unreadable to a human analyst or turn it into a puzzle before they can tell if the macros used are malicious.

When the user is a vulnerability

Macro attacks exploit perhaps the most dangerous vulnerability in cybersecurity: a human user. Lack of computer literacy and inattention make users a easy target for hackers and allow criminals to expect user execution of their malicious package. Criminals have to trick users twice : first to make them download a file with the macros and then to convince them to allow the macros to run. There are various tricks that hackers can resort to, but they are mostly the same as most phishing and malware spreading campaigns.

Macro security in current versions of Excel (2007 and later):

If you want to run macros in current versions of Excel, you need to save the Excel file as a macro-enabled workbook. Excel recognizes macro-enabled workbooks by the .xlsm file extension (rather than the usual .xlsx extension).

Therefore, if you add a macro to a standard Excel workbook and want to be able to run this macro every time you access the workbook, you will need to save it with the .xlsm extension.

To do this, select Save As from the “File” tab of the Excel ribbon. Excel will then display the “Save As” screen or the “Save As” dialog box.

Set the file type to “Excel Macro-Enabled Workbook” and then click the button Save .

The different Excel file extensions make it clear when a workbook contains macros, so this in itself is a useful security measure. However, Excel also provides optional macro security settings, which can be controlled via the options menu.

Macro Security Settings

The four macro security settings:

• "Disable all macros without notification“: This setting does not allow any macros to run. When you open a new Excel workbook, you aren't warned that it contains macros, so you may not be aware that this is why a workbook isn't working as expected.
• "Disable all macros with notification“: This setting prevents macros from running. However, if there are macros in a workbook, a pop-up window will warn you that the macros exist and have been disabled. You can then choose to enable macros within the current workbook if you wish.
• "Disable all macros except digitally signed ones“: This setting only allows macros from trusted sources to run. All other macros do not run. When you open a new Excel workbook, you aren't warned that it contains macros, so you may not be aware that this is why a workbook isn't working as expected.
• "Enable all macros“: This setting allows all macros to run. When you open a new Excel workbook, you are not warned that it contains macros, and you may not be aware of the macros running while the file is open.

If you choose the second setting, “Disable all macros with notification“, when you open a workbook that contains macros, you are given an option to allow the macros to run. This option is presented to you in a yellow band at the top of the spreadsheet, as shown below:

Therefore, you only need to click this button if you want to allow macros to run.

Access Excel macro security settings

If you want to view or change the Excel macro security setting in earlier versions of Excel:

• In Excel 2007: Select the Excel main menu (by selecting the Excel logo at the top left of the spreadsheet) and, at the bottom right of this menu, select Excel Options to display the “Excel Options” dialog box; From the “Excel Options” dialog box, select the option Protection Center and, from this, click on the button Trust Center Settings… ; From the option Macro settings , select one of the settings and click OK .
• In Excel 2010 or later: Select the tab Fillet and select from this options to display the “Excel Options” dialog box; From the “Excel Options” dialog box, select the option Protection Center and, from this, click on the button Trust Center Settings… ; From the option Macro settings , select one of the settings and click OK .

Note: When you change the Excel macro security setting, you will need to close and restart Excel for the new setting to take effect.

Trusted locations in current versions of Excel

Current versions of Excel allow you to definish trusted locations, i.e. folders on your computer that Excel “trusts”. Therefore, Excel omits the usual macro checks when opening files stored in these locations. This means that if an Excel file is placed in a trusted location, macros in this file will be enabled, regardless of the macro security setting.

Microsoft has defined some reliable routes beforedefinites, listed in the option setting Trusted routes in your Excel workbook. You can access it via the following steps:

• In Excel 2007: Select the Excel main menu (by selecting the Excel logo at the top left of the spreadsheet) and, at the bottom right of this menu, select Excel Options; From the “Excel Options” dialog box that appears, select the option Protection Center and, from this, click on the button Trust Center Settings… ; Select the option Trusted locations from the menu on the left.
• In Excel 2010 or later: Select the File tab and from this select Options;
  From the “Excel Options” dialog box that opens, select the Trust Center option and from this, click on the Trust Center Settings… button;
  Select the Trusted Locations option from the left menu.

If you wish definish your trusted location, you can do it as follows:

• From the option Trusted locations , click the button Add new location… ;
• Find the directory you want to trust and click OK .

Attention: We don't recommend placing large parts of the drive, such as the entire “My Documents” folder, in a trusted location, as this puts you at risk of accidentally allowing macros from untrusted sources.

Ercole Palmeri