Macros in Office Desktop Apps (on Windows 11) can pose significant security risks. These scripts, often used to automate tasks in applications like Microsoft Excel or Word, can be exploited by attackers to access your data, device operating system or the wider University systems.
Security risks
Risks associated with Macro use are as follows:
- Malware Distribution: Malicious macros can execute harmful commands, such as installing malware, stealing data, or compromising system integrity. They're a common tactic in phishing campaigns.
- Unauthorised Access: A macro could potentially give unauthorised users access to sensitive files or system resources.
- Social Engineering: Users might be tricked into enabling macros in documents that appear legitimate but contain malicious scripts.
- Limited Visibility: Macros operate in the background, making it difficult to know when they're executing malicious commands.
To mitigate these risks, Windows 11 and Microsoft Office have enhanced security features like disabling macros by default in documents downloaded from untrusted locations. Always avoid enabling macros unless you're sure of the document's source and purpose. Keeping your system and applications up to date with the latest patches also reduces vulnerabilities.
Support
As we move the Staff Desktop Service to Windows 11 OS and its enhanced security profile, we are starting to see a number of similar requests for direction on alternatives to VBA Macros. Microsoft are recommending the use of Automate in Office Scripts (See: Automate tab in excel) for in App functionality, this can be used in conjunction with Power Automate for cross-application automation.
We appreciate Macro’s have been in use for a long time so every University use-case is different, as such we can only refer colleagues to the information available and leave it with the user to decide on how they take this forward.
The support and guidance Microsoft offer can be found here: Office Scripts in Excel - Office Scripts | Microsoft Learn / Introduction to Office Scripts in Excel - Microsoft Support.
Although we don’t support Macros or their alternatives, if you have a business-critical issue resulting from this, our Support Team may be able to assist in the short term – please raise a case with the Service Desk to investigate.
Business Critical Assessment
If the use of macros is business critical to the University, please provide the following information for assessment:
- Name of the file
- Location of the file
- Reason why it is used
- Number of users and how many departments it is used in
- Confirmation that alternatives have been explored
Can I get more information and help?
If you have further questions or queries, please contact the Service Desk at IT.Services@lboro.ac.uk.