How to prevent scripting attacks in Microsoft Office

If you have looked at your inbox lately, you’ll not be surprised when I say that phishing attacks increased 400% in the first seven months of 2019. Those phishing attacks attempted to either tricking a user to go to a website or open an Office document. Phishing attack that try to get you to open an Office document often call a script to take additional action. Scripts are most often used in malicious macros to call actions.

What’s an IT admin to do when dealing with malicious Office documents? Plenty. First, you need to identify and stratify who in your office really needs a fully functioning Office implementation. You can mix and match how you deploy Office. Can your users get by with a “kiosk” style, web-based version of Office that isn’t installed on the system directly and can be used more in a sandbox mode?

Susan Bradley

Can you restrict users from running Office macros? Generally speaking, most users can get by with a basic Office suite and do not need to use advanced features such as macros. You can restrict the use of macros to just those users that must have it for their productivity.

For those with a traditional domain infrastructure, you can limit Office macros with Group Policy. The threat of macros is not new. As far back as Office 2010, Microsoft provided the ability to block macros. With Office 2016, administrators can block macros in documents that come to you from the web. Better known as “mark of the web,” this metadata flagging allows administrators more granular control over how and where your users can open files.

As always, don’t underestimate the need for end-user education. Letting your users know what files should look like and how they should respond to the prompts goes a long way to keeping your network safe.

Susan Bradley

Train users to look for the yellow and red warning communications at the top of files that they open from external sources. Even if they open a file from a known sender, instruct users to look for these telltale signs whether their documents are safe to open.

By now you should have some sort of email hygiene that all email and all attachments are run through before the user is able to open them. Don’t consider this foolproof. Attackers know that we are filtering email and scanning attachments, and I’ve seen a shift toward fewer malicious attached documents and more malicious documents being hosted in the cloud. That gives your hygiene engines a much harder time protecting you.

Microsoft recently previewed a new Microsoft 365 E5 subscriptions feature called Safe Documents. Building on the foundation of protected view, the service checks Excel, PowerPoint and Word documents against known risks and threat profiles before a user can open them. Another service in preview is Application Guard for Office 365 Pro Plus, which puts Office in a sandbox environment. Similar to Windows Defender Application Guard for the Edge browser, it places malicious documents in a sandbox so they can’t break out into the base operating system.

If you have an active Microsoft 365 E5 license, you can enable the preview by going to the Office 365 Security & Compliance Center. Go to “Threat management” > “Policy” > “ATP Safe Attachments.” In the “Help people stay safe when trusting a file to open outside Protected View in Office applications” section, configure the following settings:

• Turn on “Safe Documents for Office clients.” (Files will also be sent to Microsoft Cloud for deep analysis.)
• Make sure “Allow people to click through Protected View even if Safe Documents identifies the file as malicious” is not enabled.
• When you’re finished, click “Save.”

Application Guard is currently in preview, but you can sign up for the private beta.

Keep in mind that you can mix and match the different versions of Microsoft licensing inside your Office 365 deployment. You may wish to prioritize the protection of Office for certain highly targeted users in your organization, and then enable web versions of the Office platform for others. You may even consider using alternative platforms to the Office suite for users in your organization that do not need the full collaborative environment.

Susan Bradley

As an aside, I strongly recommend purchasing at least one copy of Microsoft 365 E5 so that you can preview and evaluate the entire full suite of Microsoft’s security software. It’s unreasonable to purchase this suite for everyone in your organization, but it’s justifiable for certain personnel or positions in your organization.

As we move to more web environments, documents can often be shared through other means such as read-only PDF files, online forums or web forms. Not only does everyone in your organization not need to run a macro in their Office documents, they may need different tools to do their work and may not need the full Office suite anymore.

Licensing different versions of Office has a direct effect on your security posture. Review who needs what, where and when. Assign the right tool to the user and educate them on what communication that application will provide to them to help them make the right security decisions.

Don’t forget to sign up for TechTalk from the new IDG YouTube channel for tech news of the day.