What are macro-enabled document attacks?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You get an email with a Word document attached. It looks like an invoice, a contract, or a shipping notice. You open it, and a yellow bar at the top says something like "This document is protected. Enable editing to view content." That prompt is the attack.
Macros are small scripts built into Microsoft 365 documents (Word, Excel, PowerPoint) that automate repetitive tasks. Legitimate finance teams use them all the time. The problem is that same automation can run malicious code the moment you click "Enable."
Once enabled, the macro typically reaches out to an attacker-controlled server, downloads a payload, and installs malware silently in the background. You might not notice anything. The document may even display normal-looking content while the damage is already done.
The social engineering varies, but a few scripts come up again and again:
- "Enable macros to decrypt this secure document"
- "This file was created in an older version of Office. Enable editing to display correctly."
- "Enable content to view your invoice"
These prompts are designed to feel routine, not alarming. That's the whole point.
Microsoft now blocks macros by default in files downloaded from the internet (flagged with what's called a "Mark of the Web"). That was a big win. But attackers adapted fast. They started sending documents inside ZIP files, using ISO disc images, or switching to formats like OneNote that handle embedded content differently. The macro block slowed them down, it didn't stop them.
Now if you're managing email security for an org, here's what actually helps:
- Block macros from internet-sourced files at the Group Policy level (don't rely on users making the right call)
- Flag or quarantine Office attachments arriving from external senders before delivery
- Train people to report that yellow bar, not click it
- For file sharing inside the org, use cloud links (Google Drive, SharePoint) rather than attaching documents directly
If you're an individual, the safest default is simple. Unless you specifically requested a document that needs macros, don't enable them. Ever. (And if someone sent you a document you weren't expecting that's asking you to enable anything, treat it as suspicious until you can verify.)
Macro attacks are one of the older tricks in the malicious attachment playbook, but they still work. That's why they're still being used.
Worried about what's slipping through to your team? Our SOS hotline is free, and we're happy to talk through your setup with no pitch attached.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.