Blocking Microsoft Office macros for security could do more work for financial firms

Microsoft’s initial announcement to block macros downloaded from the Internet by default in Office applications is proving to be a problem for security vendors. The software giant has since announced that it will “undo” the default blocking of VBA macros. (Photo by Drew Angerer/Getty Images)

Microsoft’s announcement earlier this month that Internet macros would be blocked by default in Office apps is causing a real headache for financial institutions and the security vendors who work with them.

Following revived reports that North Korean threat actors introduced their ransomware payloads into businesses – including financial firms and their small and medium-sized business customers – via Visual Basic application macros in Microsoft Office led to the software giant’s security decision. VBA macros in particular are often used in Microsoft’s ubiquitous Excel spreadsheet program so that businesses (small and large) can create their own custom generated functions and allow Excel users to speed up common tasks and take shortcuts. VBA macros can also be used to access Windows APIs.

Earlier this month, an article on Microsoft’s corporate site stated, “VBA macros are a common way for malicious actors to gain access to deploying malware and ransomware. Therefore, to help improve security in Office, we are changing the default behavior of Office applications to block macros in files from the Internet. As a result, when Office users open files from the Internet that contain macros, including email attachments, users receive a message highlighting “Security Risk… [which has] Blocked macro execution because the source of this file is untrusted. »

But given the long-standing ubiquity of Microsoft Office – particularly Excel and particularly in financial institutions and financial services, where many small community banks are virtually run in-house on Excel – some industry observers see a I don’t like the idea of ​​shutting down external macros, as a step this will greatly compromise the efficiency of financial services companies.

“As we work closely with partners in the finance and banking industry, we understand that macros are an integral part of our customers’ workflows,” said Michael Tal, CTO of Votiro, a security-focused company. cloud. “With the news of VBA macro documents being blocked by default, and then later with Microsoft’s decision to roll back changes based on feedback, this can significantly hamper business productivity.”

More than 3.7 million businesses worldwide (at least 1.2 billion users) used Microsoft Office 365 last year, giving it 54% of the market, according to data from Enlyft. Financial services is one of the top five industries using Office, with more than 90,000 financial business users worldwide, per Enlyft.

Tal, a former member of the Israeli army’s intelligence force who currently works closely with dozens of major financial organizations, pointed out that “macros are a powerful tool in the financial industry, as they are used to create robust financial modeling, calculating loan interest, automating repetitive and laborious tasks, these are sets of recorded actions that can be performed to save time and labor.

Excel macros are also often used to simplify budget forecasting and “makes a difference in the daily workload of any entity that uses it as it speeds up the process of generating a task after finalizing the creation of the macro and defined the variables,” added Tal.

Jonathan Golan, a chartered professional accountant and longtime investment professional, pointed out that when macros are used by financial services companies like funds and private equity firms, “it’s usually in financial modeling “. For example, macros can allow someone to insert an asset pool into a model “instead of copying and pasting a row 1,000 times”.

“Obviously, macros save time for those who use them,” Golan added. “Blocking them can hurt productivity because you’ll have to do these manual, routine tasks yourself.”

However, balancing security, convenience and productivity is a juggling act that is likely to take a long time, especially for efficiency-driven financial institutions.

In the second half of last year alone, Votiro witnessed 634,203 threats against financial institutions, according to a report published in February.

“With Microsoft’s intentions to fight Emotet, Trickbot, Qbot, Dridex,” Tal added, “[Microsoft] will have to come up with a much more creative approach to managing legitimate business use macros and enabling business continuity without compromising security.

Maria D. Ervin