• Komodo Research

Is Macro Malware Dead?



To answer the question, of whether this is the end of Macro Malware, we must go on a short journey:


Let’s start with the basics.

What are macros and why are they needed?

One can use macros to automate tasks in Microsoft Office applications. For example, they can speed up repetitive processes, or make complex tasks easier to complete.

One can create macros using the Visual Basic for Applications (VBA) programming language, or record them using the macro recorder.

What is macro malware?

Macro malware often spreads via email attachments by sending infected macro-enabled files, such as Microsoft Word or Excel documents. Opening these files executes the macros and installs the malware on the victim's computer. Attackers often use macro malware to install other types of malware, such as ransomware or trojans. It is a Remote Code Execution (RCE) on the victim’s computer. Macro malware is no longer as effective as it once was because users have become more aware of the dangers of opening email attachments and downloads from an unknown source. In addition, many email providers now block or scan for macros in attachments. While macro malware is not as prevalent as it once was, it is still a threat.

Furthermore, Microsoft has released a new update that might be the last blow to macro malware. As stated last month by Microsoft, “Macros from the internet will be blocked by default in Office.” However, as of today, when running a macro-enabled file such as Word, Microsoft gives users a choice whether to enable macros or not, with the following warning message:

However, in the next few months, the new Microsoft update will be out, and the warning message will be:

They are not giving any choice to the user, blocking the macros by default from any file coming from the internet. So essentially, macros will no longer run on any user with the latest version of Office.

Of course, this will only occur once the update is released. However, Microsoft still provides a way to enable macros from downloaded files, which need to be manually enabled on every file. Essentially, this lowers the probability of macro malware attacks.

Ultimately, we think macro malware risk will be reduced significantly in the future once Microsoft delivers updates to every computer.


With all that said, there is an idiom we like, “When one door closes another one opens.”

On May 30, 2022, a new 0-day vulnerability CVE-2022-30190 named “Follina” was reported. Once a person opens the document of an Office application, Word’s Remote Template feature fetches an HTML file from a remote web server that uses the “ms-msdt” MSProtocol URI scheme to load code and execute PowerShell.

The attack flow resembles macro malware in that an attacker crafts a malicious Office document and sends it to their target. Opening the document executes any PowerShell code the attacker crafted.


To conclude, we expect to see macro malware dying soon; the bad news is that Follina is a newborn.

Is your business secure? Komodo Consulting’s Cyber Security Consultants can help you enhance your company’s Security Infrastructure and adhere to the best practices. Contact us for a free consultation.


294 views