How to prevent scripting attacks in Microsoft Office

Rise in phishing attempts requires another look at your Microsoft Office settings to minimise the risk of a user executing a malicious script
Source: IDGNS

26 February 2020

If you have looked at your inbox lately, you will not be surprised to hear that phishing attacks increased 400% in the first seven months of 2019. Those phishing attacks attempted to either tricking a user to go to a website or open an Office document. Phishing attack that try to get you to open an Office document often call a script to take additional action. Scripts are most often used in malicious macros to call actions.

What is an IT admin to do when dealing with malicious Office documents? Plenty. First, you need to identify and stratify who in your office really needs a fully functioning Office implementation. You can mix and match how you deploy Office. Can your users get by with a ‘kiosk’ style, Web-based version of Office that is not installed on the system directly and can be used more in a sandbox mode?

Can you restrict users from running Office macros? Generally speaking, most users can get by with a basic Office suite and do not need to use advanced features such as macros. You can restrict the use of macros to just those users that must have it for their productivity.




For those with a traditional domain infrastructure, you can limit Office macros with Group Policy. The threat of macros is not new. As far back as Office 2010, Microsoft provided the ability to block macros. With Office 2016, administrators can block macros in documents that come to you from the web. Better known as ‘mark of the Web,’ this metadata flagging allows administrators more granular control over how and where your users can open files.

As always, do not underestimate the need for end-user education. Letting your users know what files should look like and how they should respond to the prompts goes a long way to keeping your network safe.

Train users to look for the yellow and red warning communications at the top of files that they open from external sources. Even if they open a file from a known sender, instruct users to look for these telltale signs whether their documents are safe to open.

By now you should have some sort of e-mail hygiene that all e-mail and all attachments are run through before the user is able to open them. Do not consider this foolproof. Attackers know that we are filtering email and scanning attachments, and there has been a shift toward fewer malicious attached documents and more malicious documents being hosted in the cloud. That gives your hygiene engines a much harder time protecting you.

Microsoft recently previewed a new Microsoft 365 E5 subscriptions feature called Safe Documents. Building on the foundation of protected view, the service checks Excel, PowerPoint and Word documents against known risks and threat profiles before a user can open them. Another service in preview is Application Guard for Office 365 Pro Plus, which puts Office in a sandbox environment. Similar to Windows Defender Application Guard for the Edge browser, it places malicious documents in a sandbox so they cannot break out into the base operating system.

If you have an active Microsoft 365 E5 license, you can enable the preview by going to the Office 365 Security & Compliance Centre. Go to “Threat management” > “Policy” > “ATP Safe Attachments.” In the “Help people stay safe when trusting a file to open outside Protected View in Office applications” section, configure the following settings:

  • Turn on “Safe Documents for Office clients.” (Files will also be sent to Microsoft Cloud for deep analysis.)
  • Make sure “Allow people to click through Protected View even if Safe Documents identifies the file as malicious” is not enabled.
  • When you are finished, click “Save.”

Application Guard is currently in preview, but you can sign up for the private beta.

Keep in mind that you can mix and match the different versions of Microsoft licensing inside your Office 365 deployment. You may wish to prioritise the protection of Office for certain highly targeted users in your organisation, and then enable web versions of the Office platform for others. You may even consider using alternative platforms to the Office suite for users in your organisation that do not need the full collaborative environment.

As we move to more web environments, documents can often be shared through other means such as read-only PDF files, online forums or web forms. Not only does everyone in your organisation not need to run a macro in their Office documents, they may need different tools to do their work and may not need the full Office suite anymore.

Licensing different versions of Office has a direct effect on your security posture. Review who needs what, where and when. Assign the right tool to the user and educate them on what communication that application will provide to them to help them make the right security decisions.

IDG News Service

Read More:

Back to Top ↑