What you need to know
- Microsoft will change how Office 365 handles Trusted Documents.
- Trusted Documents can contain active content that can run regardless of IT admin policies.
- Following an upcoming change, IT admin policies will always take precedence over Trusted Documents.
Microsoft is working to secure how Office handles Trusted Documents. These types of documents contain controls that can run without user interaction, including ActiveX controls, Dynamic data Exchange functions, and macros. These files are often used for innocent purposes but can be used as part of attacks by threat actors.
At the moment, Trusted Documents can override Protected View safeguards, but that won't be the case in the future.
"We are changing the behavior of Office applications to enforce policies that block Active Content (ex. macros, ActiveX, DDE) on Trusted Documents," reads the Microsoft 365 roadmap. "Previously, Active Content was allowed to run in Trusted Documents even when an IT administrator had set a policy to block it. As part of ongoing Office security hardening, the IT administrator's choice to block Active Content will now always take precedence over end-user set trusted documents."
Security risks stem from the fact that Trusted Documents can bypass policies set by IT administrators. Following the outlined change, Trusted Documents will follow set IT admin policies. This is a logical change as it moves decisions related to security to IT admins rather than end-users.
Attacks utilizing documents to fool people are nothing new. A recently discovered malware campaign used a Word document that tried to trick people into activating malicious code. The attack utilized a document that falsely claimed to be made with "Windows 11 Alpha." People could be fooled into thinking that they had to follow prompts from the document to make it work on their PC.
The roadmap states that the feature is in development and that it could arrive in October 2021, but dates on the Microsoft 365 roadmap are always subject to change.
