Late Addition #2 EXECUTIVEDOCUMENTSUMMARY
SubmittalDates Department:Information Technology
ContactPerson:______Ron Plamondon FExecutiveBoard:______ 01/15/2019 TelephoneNo.:______ F■ RegularSession: ______
SourceSelectionMethod VENDOR:______Rack Space/ACS F■ BidQuotation Address:______ FOther:______ Phone:______
$ 0.00 $ 3,520.00 BudgetedAmount: ______ ContractedAmount: ______
DocumentDescription
F■ ProfessionalBoard/Committee ServiceRecommendation FOther______
F■ RequestRequesttotoWaWaiveiveBoaBoardrdPolicyPolicyonBBididRequirementsRequirements
Requesting approval to convert 110 of our basic eMail accounts to Hosted Exchange utilizing our existing eMail vendor Rack Space. The additional cost per eMail account is $32.00 per year, for a total increase of $3,520.00 for 2019. The reason is to better secure our email system and to provide for the ability to restrict Word 2016 and Excel 2016 macro execution for all Internet-based documents. This is a new feature in both Word 2016 and Excel 2016 and we are moving a majority of our computers to the new version.
Suggested Motion to approve the upgrade of our basic eMail accounts to Hosted Exchange accounts with Rack Space, at a cost of $3,520.00; funds to come from Data Recommendation:Processing Fund #636.
Digitally signed by Ron Plamondon Date: 2019.01.14 14:02:49 -05'00' 01/14/2019 DepartmentHeadApproval:______Date: ______New feature in Office 2016 can block macros and help prevent infection - Microsoft Secure Late Addition #2
Microsoft Secure
New feature in Office 2016 can block macros and help prevent infection
March 22, 2016
WINDOWS DEFENDER RESEARCH
in Office 365 Advanced Threat Protection, Windows, Endpoint Security, Threat Protection, Research
Macro-based malware is on the rise and we understand it is a Office 365 client applications now frustrating experience for everyone. To help counter this threat, we are integrate with AMSI, enabling antivirus releasing a new feature in Office 2016 that blocks macros from and other security solutions to scan loading in certain high-risk scenarios. macros and other scripts at runtime to Macro-based malware infection is still increasing check for malicious behavior.
Macro-based malware continues its rise. We featured macro-based This is part of our continued efforts to malware in our Threat Intelligence report last year, but infections are tackle entire classes of threats. Learn still increasing. more:
Despite periodic lulls, infections for the top 20 most detected macro- Office VBA + AMSI: Parting the veil based malware were high over the past three months. on malicious macros
https://cloudblogs.microsoft.com/microsoftsecure/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/[1/14/2019 1:59:05 PM] New feature in Office 2016 can block macros and help prevent infection - Microsoft Secure Late Addition #2
In the enterprise, recent data from our Office 365 Advanced Threat Protection service indicates 98% of Office-targeted threats use macros.
Note these are detections and not necessarily successful infections. To learn more about Advanced Threat Protection and other security features in Office 365, check out this blog and video.
The enduring appeal for macro-based malware appears to rely on a victim’s likelihood to enable macros. Previous versions of Office include a warning when opening documents that contain macros, but malware authors have become more resilient in their social engineering tactics, luring users to enable macros in good faith and ending up infected.
Block the macro, block the threat
In response to the growing trend of macro-based threats, we’ve introduced a new, tactical feature in Office 2016 that can help enterprise administrators prevent the risk from macros in certain high risk scenarios. This feature:
1. Allows an enterprise to selectively scope macro use to a set of trusted workflows. 2. Block easy access to enable macros in scenarios considered high risk. 3. Provide end users with a different and stricter notification so it is easier for them to distinguish a high-risk situation against a normal workflow.
This feature can be controlled via Group Policy and configured per application. It enables enterprise administrators to block macros from running in Word, Excel and PowerPoint documents that come from the Internet. This includes scenarios such as the following:
1. Documents downloaded from Internet websites or consumer storage providers (like OneDrive, Google Drive, and Dropbox). https://cloudblogs.microsoft.com/microsoftsecure/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/[1/14/2019 1:59:05 PM] New feature in Office 2016 can block macros and help prevent infection - Microsoft Secure Late Addition #2 • NOTES: The macro will not be blocked under the following conditions:
• When the file is opened from the OneDrive location of the user signed into the client, i.e., your own OneDrive location • When the file is opened from within the tenant (OneDrive for Business or SharePoint Online) of the user signed into the client, i.e., your own tenant.
2. Documents attached to emails that have been sent from outside the organization (where the organization uses the Outlook client and Exchange servers for email) 3. Documents opened from public shares hosted on the Internet (such as files downloaded from file-sharing sites).
Let’s walk through a common attack scenario and see this feature in action.
Claudia is an enterprise administrator at Contoso. After a rash of macro-based malware attacks targeting her organization, she learns of this new feature in Office 2016 and has rolled out a Group Policy update to all Office clients on the network.
Stewart is a cybercriminal looking to attack and penetrate the Contoso network. Stewart uses macro-based malware because he’s had recent successes using it. He launches his attack campaign against Contoso by targeting James, an employee there.
James receives an email from Stewart in his inbox that has an attached Word document. The email has content designed to pique James’s interest and influence him to open the attachment.
https://cloudblogs.microsoft.com/microsoftsecure/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/[1/14/2019 1:59:05 PM] New feature in Office 2016 can block macros and help prevent infection - Microsoft Secure Late Addition #2
When James opens the Word document, it opens in Protected View. Protected View is a feature that has been available in Word, Excel, and PowerPoint since Office 2010. It is a sandboxed environment that lets a user read the contents of a document. Macros and all other active content are disabled within Protected View, and so James is protected from such attacks so long as he chooses to stay in Protected View.
However, Stewart anticipates this step and has a clear and obvious message right at the top of the document designed to
https://cloudblogs.microsoft.com/microsoftsecure/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/[1/14/2019 1:59:05 PM] New feature in Office 2016 can block macros and help prevent infection - Microsoft Secure
lure James into making decisions detrimental to his organization’s security.Late James follows Addition the instructions in#2 the document, and exits Protected View as he believes that will provide him with access to contents of the document. James is then confronted with a strong notification from Word that macros have been blocked in this document by his enterprise administrator. There is no way for him to enable the macro from within the document.
James’s security awareness is heightened by the strong warning and he starts to suspect that there is something fishy about this document and the message. He quickly closes the document and notifies his IT team about his suspicions.
This feature relies on the security zone information that Windows uses to specify trust associated with a specific location. For example, if the location where the file originates from is considered the Internet zone by Windows, then macros are disabled in the document. Users with legitimate scenarios that are impacted by this policy should work with their enterprise administrator to identify alternative workflows that ensure the file’s original location is considered trusted within the organization.
Use Group Policy to enforce the setting, or configure it individually
Administrators can enable this feature for Word, Excel, and PowerPoint by configuring it under the respective application’s Group Policy Administrative Templates for Office 2016. For example, to enable this setting for Word:
1. Open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit. 2. In the Group Policy Management Editor, go to User configuration. 3. Click Administrative templates > Microsoft Word 2016 > Word options > Security > Trust Center. 4. Open the Block macros from running in Office files from the Internet setting to configure and enable it.
https://cloudblogs.microsoft.com/microsoftsecure/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/[1/14/2019 1:59:05 PM] New feature in Office 2016 can block macros and help prevent infection - Microsoft Secure Late Addition #2
You can read more about this Group Policy setting at Plan security settings for VBA macros in Office 2016.
Final tips
For end-users, we always recommend that you don’t enable macros on documents you receive from a source you do not trust or know, and be careful even with macros in attachments from people you do trust – in case they’ve been hacked.
For enterprise administrators, turn on mitigations in Office that can help shield you from macro based threats, including this new macro-blocking feature. If your enterprise does not have any workflows that involve the use of macros, disable them completely. This is the most comprehensive mitigation that you can implement today.
More info for end-users: Learn how to enable or disable macros in Office files
More info for admins and IT professionals: Learn about security and compliance in Office 365
Related blog entry: Machine learning vs. social engineering
https://cloudblogs.microsoft.com/microsoftsecure/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/[1/14/2019 1:59:05 PM] New feature in Office 2016 can block macros and help prevent infection - Microsoft Secure Late Addition #2
Talk to us
Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.
Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.
Tags
MACRO MALWARE MALWARE RESEARCH WINDOWS 10 WINDOWS DEFENDER ANTIVIRUS
WINDOWS DEFENDER AV
Older Post Newer Post
RELATED BLOG POSTS
Best practices for securely using Guide to Developing a National Be careful of data without context: Microsoft 365—the CIS Microsoft 365 Cybersecurity Strategy—a resource The case of malware scanning of Foundations Benchmark now for policymakers to respond to journaled emails Recent research on available The Center for Internet cybersecurity challenges Multi- email journaling—an often used Security’s (CIS) Microsoft 365 stakeholder collaboration helps to testing methodology—shows it can Foundations Benchmark provides build better security policies in the lead to misinterpreted results.... prescriptive guidance for recently released Guide to Read more establishing... Developing...
https://cloudblogs.microsoft.com/microsoftsecure/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/[1/14/2019 1:59:05 PM] New feature in Office 2016 can block macros and help prevent infection - Microsoft Secure
Read more Read more Late Addition #2
Related Blogs
Microsoft Security Response Center blog
Microsoft Security Guidance blog
Security Research & Defense blog
Enterprise Mobility + Security blog
Office 365 Security blog
Security in Azure
Follow Microsoft
What's new Store & Support Education
NEW Surface Pro 6 Account profile Microsoft in education
NEW Surface Laptop 2 Download Center Office for students
NEW Surface Go Sales & support Office 365 for schools
Xbox One X Returns Deals for students & parents
Xbox One S Order tracking Microsoft Azure in education
VR & mixed reality Store locations
https://cloudblogs.microsoft.com/microsoftsecure/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/[1/14/2019 1:59:05 PM] New feature in Office 2016 can block macros and help prevent infection - Microsoft Secure Late Addition #2 Windows 10 apps Support
Office apps Buy online, pick up in store
Enterprise Developer Company
Microsoft Azure Microsoft Visual Studio Careers
Enterprise Windows Dev Center About Microsoft
Data platform Developer Network Company news
Find a solution provider TechNet Privacy at Microsoft
Microsoft partner resources Microsoft developer program Investors
Microsoft AppSource Channel 9 Diversity and inclusion
Manufacturing & resources Office Dev Center Accessibility
Financial services Microsoft Garage Security
English (United States) Sitemap Contact Microsoft Privacy & cookies Terms of use Trademarks Safety & eco About our ads © Microsoft 2019
https://cloudblogs.microsoft.com/microsoftsecure/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/[1/14/2019 1:59:05 PM]