The upcoming end of life for Windows 10 has IT teams busy. From planning on migrations, to testing Windows 11 24H2, many of us are reviewing our options on how to handle that platform going forward. But there are several more daunting end-of-life deadlines in the Microsoft ecosystem that IT teams can’t overlook — especially from a security perspective.
Both Office 2016 and 2019 are nearing their end of life as of October 2025. Exchange 2016 and 2019 will also come to their end of life on that date as well. Chances are if you are still on both platforms the decision to not yet migrate to newer platforms is intertwined.
In some instances, government entities have even decided to completely migrate off the Microsoft ecosystem and into the world of open-source office platforms. But even this isn’t without migration concerns. Often what keeps a firm on an older platform is processes, macros, and other methods used to automate the business needs.
Recently, Denmark announced it will be testing out phasing out Microsoft 365 in favor of LibreOffice. As with any migration, testing the impact of change must be done methodically to identify the business impact.
Organizations often rely on older templates, documents, macros implemented years ago — an often-overlooked factor in such migrations. While LibreOffice supports macros, there isn’t a direct migration from Office macros to LibreOffice macros. I personally can attest to the loss of macros and templates when migrating from Lotus 1-2-3 to Excel many years ago. We could not rely on our own internal resources to migrate these key documents. Instead, we had to obtain external support and guidance to convert and adjust the documentation to work with the new platform.
Office macro security gotchas
While macros can add value to business processes, they can also be harmful.
As such, CISOs and their teams need to review whether they can implement similar protections in their office platform of choice that Office 365 currently has, specifically for addressing malicious macros.
Here, there are six types of malicious macros to be aware of — regardless of whether you are testing out a migration due to Microsoft’s upcoming end-of-line deadlines.
Malicious code execution: Macros can contain scripts — often written in Visual Basic for Applications (VBA) — that execute automatically when a document is opened. Attackers can embed malicious code within macros to perform actions such as stealing data, corrupting files, or taking control of your system.
Macro-based malware and ransomware: Malicious macros are a common vector for malware and ransomware. Once executed, they can propagate quickly, compromising not just the initial document but also templates and other files on the system.
Bypassing security controls: Attackers use macros to bypass security mechanisms, allowing unauthorized access to systems and networks. This can lead to data theft, espionage, or destruction of sensitive information.
Phishing and social engineering: Malicious macros are frequently spread through phishing emails. Users may be tricked into enabling macros, believing the document is legitimate, which triggers the malicious code.
Fileless attacks: Some macro-based threats operate entirely in memory (“fileless”), making them harder to detect with traditional antivirus software.
Insider threats and accidental spread: Even trusted users can inadvertently spread malicious macros by sharing documents or using code from unverified sources.
LibreOffice brings those same risks and potentially more due to the fact that LibreOffice may not warn end users in the same fashion about untrusted files with included macros being received from the Internet. Take CVE-2025-1080, for example: “In the affected versions of LibreOffice a link in a browser using that scheme could be constructed with an embedded inner URL that when passed to LibreOffice could call internal macros with arbitrary arguments.”
Windows and Office include specific settings that enable IT teams to better protect their organizations from malicious macros. If you rely on macros for key workflows in your organization, you need to be proactive by using various Active Surface Reduction (ASR) rules and looking for more modern automation processes.
To that end, consider using “no-code” alternatives such as Power Automate to build workflow processes. Always review your options and keep an eye on resources such as Microsoft’s Power Automate notification page to ensure you’re on top of the support boundaries of relying on such external processes. Ascertain whether you can utilize more powerful native functions added to recent versions of Excel, such as XLOOKUP and LAMBDA, to manipulate data. Also consider using Power Query to extract data from Excel. As you move your data to Office 365 you can also consider using Microsoft Graph and automate processes.
Attack Surface Reduction rules to abide by
Implementing Attack Surface Reduction rules can greatly limit the scope and impact of most malicious macros.
If you’ve completely disabled macros in your organization, then ASR rules are not needed. But if you still rely on macros, the following rules are worth setting:
Block all Office applications from creating child processes
Block execution of potentially obfuscated scripts
Block JavaScript or VBScript from launching downloaded executable content
Block Office applications from creating executable content
Block Office communication application from creating child processes
Block Win32 API calls from Office macros
Use advanced protection against ransomware
Safeguarding against malicious macros on macOS
Office on macOS also offers tools to better protect against malicious macros. For example, macOS uses the platform’s sandbox to limit the damage caused by a malicious document.
But don’t be complacent on the Mac platform. Attackers realize we are moving more and more to a blended network of connected Windows and Mac devices. Ensure you also perform due diligence on Apple’s platform to better protect your organization from malicious activity.
Here, you can deploy preferences for Office for Mac to better protect your network. The preferences you’ll want to set include:
Disable the VBA object model
Disable Visual Basic system bindings
Enable disabling Visual Basic external library bindings
Enable disabling Visual Basic pipe bindings
Enable disabling Visual Basic invoking AppleScript
No matter what platform you decide to migrate to, ensure you review the business impact and the security impact on your organization. Migrations due to end-of-life decisions are impactful in more ways than most organizations anticipate.
No Responses