{
	"id": "2f4ef58b-4cdf-4094-9ed8-5d3f3751b4d4",
	"created_at": "2026-04-06T00:16:36.701909Z",
	"updated_at": "2026-04-10T03:20:22.249734Z",
	"deleted_at": null,
	"sha1_hash": "4e4218c5ed1df5ec974f5e580007ae3ead07414f",
	"title": "New feature in Office 2016 can block macros and help prevent infection | Microsoft Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 74802,
	"plain_text": "New feature in Office 2016 can block macros and help prevent\r\ninfection | Microsoft Security Blog\r\nBy Microsoft Defender Security Research Team\r\nPublished: 2016-03-22 · Archived: 2026-04-05 18:25:29 UTC\r\nMacro-based malware infection is still increasing\r\nMacro-based malware continues its rise. We featured macro-based malware in our Threat Intelligence report last\r\nyear, but infections are still increasing.\r\nDespite periodic lulls, infections for the top 20 most detected macro-based malware were high over the past three\r\nmonths.\r\nIn the enterprise, recent data from our Office 365 Advanced Threat Protection service indicates 98% of Office-targeted threats use macros.\r\nNote these are detections and not necessarily successful infections. To learn more about Advanced Threat\r\nProtection and other security features in Office 365, check out this blog and video.\r\nOffice 365 client applications now integrate with AMSI, enabling antivirus and other security\r\nsolutions to scan macros and other scripts at runtime to check for malicious behavior.\r\nThis is part of our continued efforts to tackle entire classes of threats. Learn more:\r\nOffice VBA + AMSI: Parting the veil on malicious macros\r\nThe enduring appeal for macro-based malware appears to rely on a victim’s likelihood to enable macros. Previous\r\nversions of Office include a warning when opening documents that contain macros, but malware authors have\r\nbecome more resilient in their social engineering tactics, luring users to enable macros in good faith and ending up\r\ninfected.\r\nBlock the macro, block the threat\r\nIn response to the growing trend of macro-based threats, we’ve introduced a new, tactical feature in Office 2016\r\nthat can help enterprise administrators prevent the risk from macros in certain high risk scenarios. This feature:\r\n1. Allows an enterprise to selectively scope macro use to a set of trusted workflows.\r\n2. Block easy access to enable macros in scenarios considered high risk.\r\n3. Provide end users with a different and stricter notification so it is easier for them to distinguish a high-risk\r\nsituation against a normal workflow.\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/\r\nPage 1 of 4\n\nThis feature can be controlled via Group Policy and configured per application. It enables enterprise\r\nadministrators to block macros from running in Word, Excel and PowerPoint documents that come from the\r\nInternet. This includes scenarios such as the following:\r\n1. Documents downloaded from Internet websites or consumer storage providers (like OneDrive, Google\r\nDrive, and Dropbox).\r\nNOTES:\r\nThe macro will not be blocked under the following conditions:\r\nWhen the file is opened from the OneDrive location of the user signed into the client, i.e.,\r\nyour own OneDrive location\r\nWhen the file is opened from within the tenant (OneDrive for Business or SharePoint\r\nOnline) of the user signed into the client, i.e., your own tenant.\r\n2. Documents attached to emails that have been sent from outside the organization (where the organization\r\nuses the Outlook client and Exchange servers for email)\r\n3. Documents opened from public shares hosted on the Internet (such as files downloaded from file-sharing\r\nsites).\r\nLet’s walk through a common attack scenario and see this feature in action.\r\nClaudia is an enterprise administrator at Contoso. After a rash of macro-based malware attacks targeting her\r\norganization, she learns of this new feature in Office 2016 and has rolled out a Group Policy update to all Office\r\nclients on the network.\r\nStewart is a cybercriminal looking to attack and penetrate the Contoso network. Stewart uses macro-based\r\nmalware because he’s had recent successes using it. He launches his attack campaign against Contoso by targeting\r\nJames, an employee there.\r\nJames receives an email from Stewart in his inbox that has an attached Word document. The email has content\r\ndesigned to pique James’s interest and influence him to open the attachment.\r\nWhen James opens the Word document, it opens in Protected View. Protected View is a feature that has been\r\navailable in Word, Excel, and PowerPoint since Office 2010. It is a sandboxed environment that lets a user read\r\nthe contents of a document. Macros and all other active content are disabled within Protected View, and so James\r\nis protected from such attacks so long as he chooses to stay in Protected View.\r\nHowever, Stewart anticipates this step and has a clear and obvious message right at the top of the document\r\ndesigned to lure James into making decisions detrimental to his organization’s security. James follows the\r\ninstructions in the document, and exits Protected View as he believes that will provide him with access to contents\r\nof the document. James is then confronted with a strong notification from Word that macros have been blocked in\r\nthis document by his enterprise administrator. There is no way for him to enable the macro from within the\r\ndocument.\r\nJames’s security awareness is heightened by the strong warning and he starts to suspect that there is something\r\nfishy about this document and the message. He quickly closes the document and notifies his IT team about his\r\nsuspicions.\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/\r\nPage 2 of 4\n\nThis feature relies on the security zone information that Windows uses to specify trust associated with a specific\r\nlocation. For example, if the location where the file originates from is considered the Internet zone by Windows,\r\nthen macros are disabled in the document. Users with legitimate scenarios that are impacted by this policy should\r\nwork with their enterprise administrator to identify alternative workflows that ensure the file’s original location is\r\nconsidered trusted within the organization.\r\nUse Group Policy to enforce the setting, or configure it individually\r\nAdministrators can enable this feature for Word, Excel, and PowerPoint by configuring it under the respective\r\napplication’s Group Policy Administrative Templates for Office 2016. For example, to enable this setting for\r\nWord:\r\n1. Open the Group Policy Management Console, right-click the Group Policy Object you want to configure\r\nand click Edit.\r\n2. In the Group Policy Management Editor, go to User configuration.\r\n3. Click Administrative templates \u003e Microsoft Word 2016 \u003e Word options \u003e Security \u003e Trust Center.\r\n4. Open the Block macros from running in Office files from the Internet setting to configure and enable it.\r\nYou can read more about this Group Policy setting at Plan security settings for VBA macros in Office 2016.\r\nFinal tips\r\nFor end-users, we always recommend that you don’t enable macros on documents you receive from a source you\r\ndo not trust or know, and be careful even with macros in attachments from people you do trust – in case they’ve\r\nbeen hacked.\r\nFor enterprise administrators, turn on mitigations in Office that can help shield you from macro based threats,\r\nincluding this new macro-blocking feature. If your enterprise does not have any workflows that involve the use of\r\nmacros, disable them completely. This is the most comprehensive mitigation that you can implement today.\r\nMore info for end-users: Learn how to enable or disable macros in Office files\r\nMore info for admins and IT professionals: Learn about security and compliance in Office 365\r\nRelated blog entry: Machine learning vs. social engineering\r\nTalk to us\r\nQuestions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows\r\nDefender Security Intelligence.\r\nFollow us on Twitter @WDSecurity.\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/\r\nPage 3 of 4\n\nSource: https://cloudblogs.microsoft.com/microsoftsecure/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infectio\r\nn/\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://cloudblogs.microsoft.com/microsoftsecure/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/"
	],
	"report_names": [
		"new-feature-in-office-2016-can-block-macros-and-help-prevent-infection"
	],
	"threat_actors": [],
	"ts_created_at": 1775434596,
	"ts_updated_at": 1775791222,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4e4218c5ed1df5ec974f5e580007ae3ead07414f.pdf",
		"text": "https://archive.orkl.eu/4e4218c5ed1df5ec974f5e580007ae3ead07414f.txt",
		"img": "https://archive.orkl.eu/4e4218c5ed1df5ec974f5e580007ae3ead07414f.jpg"
	}
}