A screenshot of a Microsoft Word document with a malicious macros embedded as part of an IRS-themed malware campaign.

There is a Microsoft Word document with a malicious macro embedded. The image is from Microsoft

After rolling back the planned change last month, Microsoft said it is still planning to block VBA macros by default.

VBA Macros can be used to automate routine processes in Microsoft Office applications. While this makes them a handy tool for businesses, particularly those in accounting and finance, they have long been popular with criminals who use them to send malicious emails.

Microsoft's announcement in February that it would block VBA macros from being run by default delighted the cybersecurity community. The change that would prevent users from inadvertently opening files from the internet that contain macros was supposed to take effect in June. Microsoft quietly rolled back the change on June 30 due to user feedback.

There were a lot of angry comments on Microsoft's change of heart. The surprise U-turn was only temporary and the software giant is committed to blocking internet macros.

We rolled back the change temporarily while we make some additional changes to improve the experience. This is a temporary change and we are committed to making the default change for all users.

Users can still block internet macros if they change their Group Policy settings, according to Microsoft.

When the blocking of macros would take effect, a Microsoft spokesman didn't comment on how it would be done.

The move to block macros by default appeared to be working until Microsoft reversed it. Given Microsoft's plans to block VBA macros by default, attackers may already be moving away from macros based attacks. The Emotet bot is replacing Microsoft Word documents with a malicious attachment in order to send more junk mail.

According to HP Wolf, there has been a fourfold rise in the use of Java archive files as threat actors turn to non- Office-based formats.

Microsoft finally fixes Windows zero-day flaw exploited by state-backed hackers