On July 8, Microsoft reversed its February decision to block macros in Excel documents by default. Microsoft had said it would block Excel files containing macros if they were downloaded from the Internet. (These lures are used by malicious actors to launch attacks on networks; in particular, ransomware and other types of malicious activity can be launched from an ordinary malicious spreadsheet.)
Microsoft still plans to implement this block, but only after "a better experience." In the meantime, you can take action now so you don't have to worry about changes in the future.
If you work for a company that has developed spreadsheets for its own internal use, the spreadsheet may not have a digital signature. Signing males is similar to how websites use SSL certificates to validate that the site is legitimate. The hardest part of the self-signing process is deciding whether to purchase a code signing certificate or use the self-signed certificate process. (I can tell you from personal experience that trying to purchase a code signing certificate is an expensive and time-consuming process. I don't recommend this option except for large companies where the code signing process is routine.)
For everyone else, I recommend autosigning your Excel macros. The hard part is getting the program that allows you to do this. You will need to follow this knowledge base article to find the location of the selfcert.exe file on your computer. In my case, the file is located in "C:\Program Files\Microsoft Office\rootOffice16" (if you are using the 64-bit version of Office). Start the selfcert.exe program and give the certificate a friendly name, such as MyExcelFiles.
In the search box on your Windows computer, type mmc.exe to start the management console. Click on the file, then “add/remove plugin”, then “certificate plugin” and add it to your admin view. You will need to add it to “My User Account”. Click Certificates > Current User and then Personal Certificate Store. You should now see this "MyExcelFiles" certificate in your certificate store. You can double click on it to see the certificate. (It should say that the root CA certificate is not trusted - this is normal with a self-signed certificate.)
Now open the Excel file that you want to encrypt with your self-signed certificate. (You'll need to add the Developer tab to your Excel spreadsheet if it's not already showing.) After clicking File > more > options, select “Customize Ribbon” on the left. Next, select “Main Tabs” on the right, check the “Developer” box, and click the “OK” button.
On the Developer tab, in the Code group, select Visual Basic. In Visual Basic, on the Tools menu, click Digital Signature. When the Digital Signature dialog box appears, select a certificate and click OK. Save Visual Basic and close the Visual Basic interface. Now save your Excel file again.
It is also important to check the macro security settings on your computer. On the Developer tab (still in the Code group), click Macro Security. In the Macro Settings category, choose the option you want. Once all the Excel files you use are signed with your self-signed certificate, you can change the setting to "Disable VBA macros, except digitally signed macros."
Now it's time to review spreadsheets that include macros. If you have downloaded any online and don't know where it came from, stop. You will need to verify that they are not malicious by uploading the files to www.reverse.it or www.virustotal.com to see what is in the file. Once you've identified the Excel files with the macros you want to use (but haven't personally developed), your next step is to make sure each of those Excel files doesn't have "web branding."
Don't open the files, just right click on the excel spreadsheet and select properties. On the general tab, look for a prompt that says "This file is from another computer and may be locked to help protect this computer." You need to click the box that says “Unlock” and click to apply. Now that the file has been scanned and unlocked, open it, digitally sign it, and save it again. This will ensure that your Excel files are signed by you; if you open them in the future, you will know if they have been tampered with.
For a small business that saves and shares Excel files, I recommend setting up a secure location on your network for trusted Excel spreadsheets. Go to Excel and click File > Options > Trust Center, then Trust Center Settings; here you can review the locations that you consider "trusted". By default, Excel doesn't trust a network location. Although Microsoft doesn't recommend adding a trusted location on the network, for business purposes, I add a specific site or location and then check who has access to that location. Be clear about who needs access to the macros, and in particular access to this trusted network location. Not everyone in your office needs this level of access. In fact, most of your users, even in a small business, probably don't. Plan accordingly.
Deciding who and what has access to a trusted location could mean the difference between getting hit with ransomware or not. Not everyone needs an Excel file with a macro. Not everyone needs trusted locations on their network. But the attackers would clearly like us not to make those decisions.
Microsoft will eventually block macros in Excel documents downloaded from the Internet. Take the time now to anticipate this change; don't wait for Microsoft to implement it again.
Copyright © 2022 IDG Communications, Inc.