Blocking emails with VBA Macros

[Exterous]

I inherited a setup where we block any email with an office document containing a VBA macro in it. In the past this wasn't much of an issue but over the last six months there has been a sharp increase in the number of suppliers and vendors sending out forms with macros in them.

Is it really worth the added security to block VBA containing attachments? Its getting to the point where I may have to justify the setting to keep it but from what I can see there doesn't seem to be a large case for doing so.

 

[PrincessFrosty]

I've not seen a very large number of office VBA macro based attacks these days.

It might be worth enforcing group policy on your computers too block VBA based macros from running inside documents and simply allow all office documents through the email filtering, that way users can view the documents but no macros are executed.

I've not done this myself but I'm reasonably sure it can be done, if you have a domain controller push out a policy there, if not you'll have to set on each individual PC. If it's not part of the stock GPO then I think there's a microsoft office update for GPO that might contain it.

If you manage to get it working please let us know your solution.

 

[Exterous]

I've not seen a very large number of office VBA macro based attacks these days.

It might be worth enforcing group policy on your computers too block VBA based macros from running inside documents and simply allow all office documents through the email filtering, that way users can view the documents but no macros are executed.

We have a lot of internal data tracking and calculation's done via macros so I suspect this is why it was originally done via the Firewall instead of a GPO. I think I would get more pushback from that then from keeping the firewall setting. Still its something to consider - thank you

 

[PrincessFrosty]

I did suspect.

One issue you're going to have is that firewall or perimeter security might catch attached files containing macros in emails but not if they're links to externally hosted variants, so without a GPO active it's really only a limited number of attacks you're stopping.

I personally see more emails trying to get files through to users which are links to popular professional file sharing sites. Although that's just my own subjective experience.

The only really decent solution here is helping to provide resources and education to your users on how to spot malicious/suspect emails in the first place, education is always key with these things.