Microsoft blocks ActiveX by default in Microsoft 365, Office 2024

Microsoft announced it will begin disabling all ActiveX controls in Windows versions of Microsoft 365 and Office 2024 applications later this month.

Introduced almost three decades ago, in 1996, ActiveX is a legacy software framework enabling developers to create interactive objects embedded in Office documents.

After this change rolls out, ActiveX will be blocked entirely and without notification in Word, Excel, PowerPoint, and Visio to reduce the risk of malware or unauthorized code execution.

When opening documents with ActiveX controls, a notification will appear at the top with a "Learn More" button saying, "BLOCKED CONTENT: The ActiveX content in this file is blocked."

Microsoft also warned Office users in a separate support document not to open unexpected file attachments or change ActiveX settings when prompted by random pop-ups and unknown people.

"When ActiveX is disabled, you will no longer be able to create or interact with ActiveX objects in Microsoft 365 files. Some existing ActiveX objects will still be visible as a static image, but it will not be possible to interact with them," said Zaeem Patel, a product manager on the Office Security team.

​Microsoft says that those who want to enable ActiveX controls can do so via the Trust Center by going through the following steps (but it's important to note that this will enable ActiveX across all Office apps, including Word, PowerPoint, Excel, and Visio):

1. Select File, then Options.
   
   
2. Select Trust Center, then the Trust Center Settings button.
   
   
3. Select ActiveX Settings, then ensure "Prompt me before enabling all controls with minimal restrictions" is enabled.
   
   
4. Select OK, then OK again to save your settings and return to your document.

"For optimal security, Microsoft strongly encourages leaving ActiveX controls disabled unless absolutely necessary," Microsoft cautioned.

The decision to disable it by default was likely prompted by ActiveX's well-known security issues, including zero-day vulnerabilities that were exploited by various state-backed and financially motivated threat groups to deploy malware.

Cybercriminals have also used ActiveX controls embedded in Word documents to install TrickBot malware and Cobalt Strike beacons to breach and maintain access to enterprise networks,

This move is also a much broader effort to remove or turn off Windows and Office features that attackers have abused to infect Microsoft customers with malware. It goes back to 2018 when Microsoft expanded support for its Antimalware Scan Interface (AMSI) to Office 365 client apps to thwart attacks using Office VBA macros.

Since then, Redmond has also started blocking VBA Office macros by default, introduced XLM macro protection, disabled Excel 4.0 (XLM) macros, and began blocking untrusted XLL add-ins by default across Microsoft 365 tenants. Microsoft also announced in May 2024 that it would kill off VBScript by making it an on-demand feature until it is completely removed.