No matter how careful you are, you’ll still find malware everywhere, even in the Office 365 apps. Though not necessarily something new, bad-acting parties have often buried malware in scrips and macros in Microsoft Word and Powerpoint. That is exactly why Microsoft announced that Office 365 client applications now integrate with Antimalware Scan Interface.
Microsoft said in a blog post this week that there has been a “resurgence” of these macro-based malware threats in recent years. They’ve now invested to counter the threat and have build detection mechanisms solutions which will expose bad macros through threat protection solutions in the cloud. Microsoft also is exposing the solution through AMSI, which an open interface that is accessible to any other antivirus programs.
As explained by the Microsoft Secure Team.
How can antivirus and other security solutions cope? Today, antivirus solutions can extract and scan the obfuscated macro source code from an Office document. How can the macro’s intent be exposed? What if security solutions can observe a macro’s behavior at runtime and gain visibility into system interactions? Enter Office and AMSI integration.
There are three parts to the integration, logging macro behavior, triggering a scan, and stopping the malicious behavior. The logging side of things is a bit technical, but triggering halts the execution of the macro and requests a scan of the macro behavior. After that, AMSI will determine if the script or macro is malicious. Scripts and Macros are then stopped, and a user will see a security notice, with the application section shut down to avoid damage.
This functionality will be turned on by default on the Monthly Channel of Office 365, and in Word, Excel, Powerpoint, Access, Visio, and Publisher. Macros are scanned at runtime via AMSI in most scenarios, except when security settings are set fo “enable all macros.” You can learn more from Microsoft’s blog post.