Some users of Office 365 will soon have a new tool to fight ransomware. As we noted in our recent article on corporate ransomware protection, one of the most common ways companies are infected with ransomware is through infected Microsoft Office files. These files typically have macros, or computer programs, embedded in them that kick off the ransomware infection. Microsoft recently announced that users of Office 365 ProPlus will soon be able to open all documents from untrusted sources (e.g., anything sent via E-mail or downloaded from the Internet) using “Microsoft Office Application Guard,” a separate virtual environment. The virtual environment is isolated from the user’s operating system and standard programs, and is destroyed when the user logs out. This means that any infection that may be caused by the untrusted document should not be able to infect the user’s computer, and will be destroyed within the virtual environment when the user logs out. This should significantly limit the spread of ransomware, or at least force the criminals to find other approaches for infecting user computers.
We expect to see Microsoft make this available to lower-tier Office 365 users in the near future as well. If your organization uses Office 365, we encourage you to take advantage of this exciting security feature which should help significantly reduce your organization’s attack surface.
That being said, no security system is perfect. For example, a file may be run in the virtual environment without any negative effects being detected, but it may include a “sleeper” version of the ransomware that waits days, or even months, before it will launch. Others may seek to detect whether they are being launched in the virtual environment and, if detected, may postpone any malicious activity until they are outside the virtual environment. Still others may attempt to escape the virtual environment by exploiting vulnerabilities.
In the end, as we discussed previously, disabling macros can significantly reduce your attack surface. If you must enable macros, the Australian Cyber Security Center has created this handy chart that outlines some of the risks associated with the different levels of macros.