Hi All,
From my perspective, these macro enabled files need to be blocked and
enabling the OLEVBMacro plugin and using the KAM ruleset will help in
that goal
NOTE: Microsoft says these macros need to be vetted every time they
leave your control. The recent change from Microsoft to disable also
goes back to 2013 not just o365. Here's a better article:
https://arstechnica.com/gadgets/2022/02/microsoft-will-block-downloaded-macros-in-office-versions-going-back-to-2013/
Finally, in my stack,"We work to score Office documents with macros so
they are considered spam due to the risk in receiving them." and have
done so for years.
Regards,
KAM
On 3/15/2022 3:42 PM, Greg Troxel wrote:
Alex writes:
I'm just curious if this announcement has changed anyone's thinking
about how we should be handling docx/xlsx/etc attachments in email?
This obviously doesn't prevent someone from emailing a document with a
malicious macro, but is this going to provide sufficient protection
once a potentially malicious document is received to relax email
protections a bit?
https://www.theverge.com/2022/2/7/22922032/microsoft-block-office-vba-macros-default-change
Are you outright blocking these attachments? Perhaps you're only
blocking those with macros?
Is the ExtractText plugin good enough to extract potentially malicious
links to be checked?
Can you explain your thinking on the causal link and timeline from an
announcement to 99.999% of actual windows systems having updated code
that behaves this way?
The article says
"The change will apply to Office files that are downloaded from the
internet and include macros"
which implies that other files - which may or may not have arrived in
mail - might be treated differently.
It talks about Office 365. It doesn't say anything about old,
unmaintained copies of Office on XP.
I don't see any reason it makes sense to to lighten up on protections.
--
Kevin A. McGrail
kmcgr...@apache.org
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171