Mailing List Archive

Alex <mysqlstudent@gmail.com> writes:

> I'm just curious if this announcement has changed anyone's thinking
> about how we should be handling docx/xlsx/etc attachments in email?
> This obviously doesn't prevent someone from emailing a document with a
> malicious macro, but is this going to provide sufficient protection
> once a potentially malicious document is received to relax email
> protections a bit?
>
> https://www.theverge.com/2022/2/7/22922032/microsoft-block-office-vba-macros-default-change
>
> Are you outright blocking these attachments? Perhaps you're only
> blocking those with macros?
>
> Is the ExtractText plugin good enough to extract potentially malicious
> links to be checked?

Can you explain your thinking on the causal link and timeline from an
announcement to 99.999% of actual windows systems having updated code
that behaves this way?

The article says

"The change will apply to Office files that are downloaded from the
internet and include macros"

which implies that other files - which may or may not have arrived in
mail - might be treated differently.

It talks about Office 365. It doesn't say anything about old,
unmaintained copies of Office on XP.


I don't see any reason it makes sense to to lighten up on protections.

Hi All,

From my perspective, these macro enabled files need to be blocked and
enabling the OLEVBMacro plugin and using the KAM ruleset will help in
that goal

NOTE: Microsoft says these macros need to be vetted every time they
leave your control.  The recent change from Microsoft to disable also
goes back to 2013 not just o365.  Here's a better article:
https://arstechnica.com/gadgets/2022/02/microsoft-will-block-downloaded-macros-in-office-versions-going-back-to-2013/

Finally, in my stack,"We work to score Office documents with macros so
they are considered spam due to the risk in receiving them." and have
done so for years.

Regards,

KAM

On 3/15/2022 3:42 PM, Greg Troxel wrote:
> Alex <mysqlstudent@gmail.com> writes:
>
>> I'm just curious if this announcement has changed anyone's thinking
>> about how we should be handling docx/xlsx/etc attachments in email?
>> This obviously doesn't prevent someone from emailing a document with a
>> malicious macro, but is this going to provide sufficient protection
>> once a potentially malicious document is received to relax email
>> protections a bit?
>>
>> https://www.theverge.com/2022/2/7/22922032/microsoft-block-office-vba-macros-default-change
>>
>> Are you outright blocking these attachments? Perhaps you're only
>> blocking those with macros?
>>
>> Is the ExtractText plugin good enough to extract potentially malicious
>> links to be checked?
> Can you explain your thinking on the causal link and timeline from an
> announcement to 99.999% of actual windows systems having updated code
> that behaves this way?
>
> The article says
>
> "The change will apply to Office files that are downloaded from the
> internet and include macros"
>
> which implies that other files - which may or may not have arrived in
> mail - might be treated differently.
>
> It talks about Office 365. It doesn't say anything about old,
> unmaintained copies of Office on XP.
>
>
> I don't see any reason it makes sense to to lighten up on protections.

--
Kevin A. McGrail
KMcGrail@Apache.org

Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171