What a macro actually is
A macro is a small recorded program inside a document. In Excel, Word and PowerPoint it is written in VBA — Visual Basic for Applications. You record a sequence once, bind it to a macro button on the sheet, and one click replays it: reformat a report, pull data, rebuild a chart. For repetitive office work it is genuinely powerful.
Why that power cuts both ways
VBA is not a toy scripting language. It can read and write files, reach the network, launch programs, and call the operating system. A macro that “cleans up a report” and a macro that downloads and runs malware are the same kind of object — code that executes with your permissions. The document is just the wrapper.
How a macro attack works
The classic chain: a convincing email arrives with an attachment — an .xlsm, .docm or .xlsb, the macro-enabled formats. Open it and the content is deliberately blurred or “protected,” with a banner urging you to Enable Content. That click is the whole attack. The macro fires on open, pulls a payload, and the spreadsheet becomes the foothold — stolen credentials, ransomware, a backdoor.
Spot the dangerous file
- Extensions ending in
m—.xlsm,.docm,.pptmcan carry macros. The plain.xlsx/.docxcannot. - A yellow security-warning bar on open — the file wants to run code.
- Content that pressures you — “enable editing to view,” fake blur, fake CAPTCHAs. Real documents never need that.
Staying safe
Keep macros disabled by default — modern Office blocks them in files from the internet, so leave that on. Never click Enable Content on a file you did not expect, even from a known sender; accounts get compromised. Open suspect attachments in Protected View, or in a sandbox / web viewer. Prefer .xlsx over .xlsm when you share files, and if you do rely on macros, get them from a source you trust and would vouch for. Convenient is fine — just never convenient on autopilot.