Have you actually tired Defender and tested it out against Kaspersky? Nobody is telling you to rely on just Office's security features; Defender is a full fledged AV product built into Windows. I believe it and System Center Endpoint Protection are essentially the same product, and in fact, in Windows 10 Defender just applies SCEP policies instead of installing a new program.

Email attachments should be scanned by the mail server.

does not mean that the answer to "should I install this 'security' product?" is always "yes".

It does mean that "the server should stop x anyway" is not a reason for the client not to prevent x.

Does anyone on your network have a valid reason to execute Office macros? If not, disable them via group policy. Solves so many problems. See what @SwiftOnSecurity has to say on the topic, they manage thousands of users and it seems to work excellently.

This is the site she runs, with configuration guides. https://decentsecurity.com/

You should setup and remove the virus at the source, from the mail server. End users should never receive these mail. Also this is a bad habit to receive invoice from mail (who do that in that way?? in a word docx?

Does Microsoft security essentials not scan an attachment when you download/open it?

> Invoice-Jan-2017.docx uh, docx files can hack my PC now?

Is this a bug of MS Word or docx format really has ability to become a virus?

There are exploits for pretty much every file format in existence. [1] There are also exploits that work by just having the e-mail arrive in your e-mail client without you having to even open the message. In fact the e-mail may not even reach your computer if you use some corporate proxy which has anti-virus installed. Project Zero revealed just recently a Norton/Symantec flaw where just sending the e-mail is enough for code execution. [2]

[1] Almost none of these are zero day though, so if you're up-to-date you'll be fine.

[2] https://googleprojectzero.blogspot.com.ee/2016/06/how-to-com...

It is a feature [0]. Microsoft office products allow for "macros" which are Visual Basic code embedded within a document or a worksheet that can be used by developers to add extra functionalities to their MS files (e.g. validate all data in a work sheet after a user clicks a specific button in the worksheet).

Just like any programming language, it could be used maliciously, and there is no easy way to distinguish which macro-enabled file is safe and which isn't (without going through the code yourself prior to enabling the functionality)

[0] https://support.office.com/en-us/article/Enable-or-disable-m...

For this exact reason docx macros are disabled by default and you have to do some enabling. Presumably there are also more sophisticated exploits that don't rely on the user dismissing multiple security warnings.

These viruses show a blank docx file in macro-disabled mode with only one image, which says "Enable macros to view secure invoice" and shows a picture guide on how to enable macros. Some of them have better instructions than the user guides I write for my users.

Still, some user intervention is required. Assuming you found a vulnerability in Office, it'd be preferable to have a vector where the user just had to open the file.

normally docx viruses are simply VBA scripts but sometimes they exploit an active x embed or image rendering bug.

However other times things like browsers do dumb stuff:

docx files and silverlight files are both just zip files with completely different structures meaning they can live together in the same file.

IE used to look at txt files that contained html tags and say hmm maybe i should display that as html

that meant on sites that accepted txt and docx uploads (a lot of recruitment sites etc) you could upload a txt file that simply embed the docx as a silverlight component. When the admin looked at the txt file it would run the code as the currently logged in (admin) user.

An extraordinary amount of Cryptolocker outbreaks were due to .docx files containing macros.

Yes, it has a default behaviour of "prompt to execute macros", but it happily shows the advice in the malicious document to "please click yes at this prompt to get a free iPhone", at which point the majority of users click "yes".

I think Swift on Security posted a tweet about this a while ago, with a screenshot of completely banning all Office macros via group policy.

Office macros are really useful, though.

.docx files can't contain macros

Correction: It's .doc files I've seen the majority of this behaviour in.

They cannot. Anything that has macros has to be docm.

Sorry, my bad. I meant files in OOXML format.

Probably .docx.exe or .docm (or whatever the macro enabled document extension is).

Are you the target audience for this blog post, though? As far as I can tell, the post talks about one-user setups.

I'd argue that the starting point in a corporate environment, where you can assume that users can be quite negligent, is fundamentally different from a one-user setup, especially since I agree that you can't "fix" the user in corporate.

You want the e-mails gone, not just a warning about it, but a warning is perfectly fine if you're one person and have an idea what you're doing.

I don't see any caveats in the article about the kind of user that the advice is intended for.

In your case, the av can run on the Linux mail server.

Do you scan on the endpoints or centralized on the mail server?

For managed networks you should configure Application Whitelisting. Users simply shouldn't be able to click on something and execute it.

Wouldn't it be preferable to catch those on the e-mail server?