If asked, what is your biggest security risk? You’d likely point to things like email, passwords, or remote access.
Few business owners would mention Excel or PowerPoint.
Yet, Office apps are one of the most frequent entry points attackers use ☠ ️
As a result, Microsoft has introduced a new security baseline for its Microsoft Office 365 apps.
It’s a tightening of the screws under the hood 🪛
Simply put, a security baseline is Microsoft’s suggested template for secure settings.
IT admins can apply it to the Microsoft 365 Office apps to make them more resistant to modern attack methods.
A big focus of the latest version is to reduce risk created by older components and external connections.
Consider Excel as an example. When a spreadsheet tries to import data from an external source, and that source is blocked by your security settings, Excel will no longer allow updates of that information.
Instead, it will show an error message.
Attackers often conceal malicious data connections in spreadsheets.
If Excel connects automatically to an untrusted source, it can create a security risk.
By stopping that automatic refresh, it removes a potential vulnerability.
Microsoft is also disabling OLE content in PowerPoint.
Object Linking and Embedding (OLE) is an established technology that allows users to embed material from other applications in their files.
The use cases are legitimate, but it has also been exploited in the past.
By reducing reliance on older embedding methods, it can lower overall risks.
All Microsoft 365 apps will see changes, including:
- 🔒 Documents being blocked if they try to use non-HTTPS web connections (HTTPS is the encrypted, secure version of web traffic)
- 🔒 Older graph components being disabled if they are no longer widely used
- 🔒 Legacy add-ins like the classic OrgChart being turned off
- 🔒 Prevention of fallback to outdated network protocols
Microsoft is gradually moving businesses away from outdated technologies that are vulnerable to attack.
The important thing to remember is that these changes don’t turn on automatically everywhere.
Your IT team will need to deploy them using the Microsoft Security Compliance Toolkit.
🤔 When is the last time the configuration on your Office apps was checked?
Leave a comment!