Following numerous reports from various security firms about a large number of malware variants that use macro scripts embedded in Office documents to infect users, the US-CERT team has issued an official alert to all organizations about this resurging threat.

Macros are not malicious by nature, being added to automate various operations in the Office suite.

Macro malware, as this threat is sometimes called, relies on macro scripts attached to Office files that execute when the document is opened, if there's no security restriction. These scripts carry out various operations, in the context of the Office application it runs from.

Macro malware was very popular 20 years ago

Macro malware was extremely popular in the 90s, when it helped many worms and viruses spread, such as the Melissa virus.

Initially, macros had the ability to execute when you opened a file, a feature which malware coders loved. Microsoft course-corrected with Office 97, showing a very informative popup with all sorts of warnings and options to avoid opening a file with automatically-executing macros.

These popups managed to curb down macro malware popularity, and as the 2000s came, this type of malware distribution technique almost died out.

Macro script popup in Office 97

Unfortunately, Microsoft made a huge design mistake when it decided that starting with Office 2007 it would remove the informative popup that appeared before the file was opened, and transform it into a notification bar, inside the application, after the user opened the file.

Microsoft still blocked automatic macro execution at document startup, but the notification bar was very light on security warnings. The information displayed in these notifications didn't make Office users understand what macros were and what are their direct consequences.

Macro malware resurgence is because of one bad UI decision

From a warning in Office 97 that included five lines of text, of which a sentence read "Some macros may contain viruses that could harm your computer," the message was narrowed down to six words saying "SECURITY WARNING Macros have been disabled."

Microsoft didn't give any reason why macros were disabled, or what would happen if the user turned them on. Starting with Office 2010, right next to this warning there is even a huge button that reads "Enable Content" that, you guessed it, enables macros.

Crooks didn't notice this change at first, but they eventually caught on, and here we are today, in the second age of macro malware, two decades after it was almost eradicated.

UI & UX design has a role in everything, and it sure had an impact on the malware scene. With no visible and informative message, users returned to their old habit of enabling macro scripts "in order to view the file's content," a common trick used by malware coders to fool users into enabling macros and executing their malware.

If you still think macro malware is not a potent threat, just search our website for the term, and you'll see almost weekly reports on a new malware family employing this technique to distribute, or some cyber-espionage group targeting its victims with malicious Office docs.

US-CERT Australia has a collection of recommendations regarding macro malware security.