What a Concept! 30 years of Microsoft macro-enabled crime and its impact on humans and AI
When Bill Gates' Microsoft shunned the wisdom of experts and mixed code with content in office documents it enabled cybercrimes costing the world billions. Now it's adding AI into the malware mix.
In the summer of 1995, thanks to a bad choices made by Microsoft dating back to 1989, the world was introduced to macro malware, a whole new way for criminals to run their code on your computer, violating data privacy and security. Since then, macros in Microsoft documents have led to hundreds of billions of dollars in financial losses, not to mention human pain and suffering. Yet Microsoft’s role in the rise of cybercrime is often overlooked, even as the tech giant continues to make unsafe product development decisions.
In this two-part article I tell the story of how “techbro hubris” spawned the Concept macro virus and led to great harm in the pursuit of profit and power. Part one looks at the origin and evolution of macro viruses in Microsoft Word. The second part will look at the role this technology plays in today’s crushing levels of cybercrime, described by ChatGPT as: “one of the most pervasive and damaging global threats.” I will also describe how the white male-dominated world of digital technology is still behaving in ways that endanger society, and doing crazy things like adding AI to all its office software, even as it admits it can’t be trusted.
Concept Macro Virus: the origin story
The story begins in 1989 when Microsoft releases Word for Windows 1.0 the latest incarnation of its word processing software, the first version of which debuted on the Apple Macintosh in 1985 (ironic but true).
In the late eighties, word processing is one of the two “killer apps” powering the phenomenal transformation of personal computers from exotic niche tech to everyday objects in offices and homes. The other killer app of the day is spreadsheets, exemplified by Lotus 1-2-3.
One feature proving very popular in word processing and spreadsheet programs is macros, a way to store multiple keystrokes or program instructions so that they can be executed with a single key or command. Word for Windows 1.0 is the first version of Word to include serious macro capability.
Enhancing macros in Word is a key part of Microsoft’s strategy to compete with the dominant word processor of the day, WordPerfect, which already has extensive macro features. Microsoft transformed macros in Word with a coding system called WordBasic. (Further transformed in Word 97 with the introduction of VBA: Visual Basic for Applications).
As a product development strategy, boosting the power of macros makes sense, but the way that Microsoft goes about it does not. The company violates a longstanding norm in software design, combining executable programming code and content in the same file.
Turning information that people want to communicate, like invoices and press releases, into programs that run when recipients read them has never been a good idea. That is precisely why the two software companies that dominated personal computer software in the 1980s, Lotus and WordPerfect had not done this already.
What could go wrong…
Enabling personal computer users to create, with ease, documents that contain both content and code is clearly a very powerful capability. Microsoft further enhanced this capability by enabling Word macros to execute automatically, without user input, whenever a document was opened. Yes, you can do some very useful things with this technology, but like any powerful and useful technology, it can be abused for selfish ends.
Anyone making trivially abusable technology available to the public has — in my personal and professional opinion — a moral obligation to make such abuse as difficult as possible. Given that “ease-of-use” is a highly prized product feature, that moral imperative is often at odds with the corporate investor imperative of maximising revenue and market share.
The predominantly white male technocrats at Microsoft decide that any risks created by its implementation of macros in Word will be outweighed by the benefits of taking market share from WordPerfect. An abundance of faith in their own superiority leads them to ignore the collective wisdom of programming experts. In doing so they fail, like so many companies before and since, to adequately answer that one crucial question, the one that all technology innovators should be asking themselves on a regular basis: what could possibly go wrong? And so it came to pass, in the summer of 1995, six years after a fateful software design decision, that Microsoft found out what could go wrong.
…did go wrong
Here’s what happened, as described by my friend Graham Cluley, a leading chronicler of computer crime and cybersecurity:
“Microsoft accidentally shipped a virus on CD-ROM. At first Microsoft refused to call it a virus, preferring to call it a “Prank macro,” but WM/Concept as it became known was the first widespread virus capable of spreading via Microsoft Word documents.”
One of those Microsoft CDs that came with an infected Word doc was mailed out to a lot of IT departments to help them upgrade to Windows 95. Included on the disc was an install package for Windows 95 and a series of document files. The one named OEMLTR.DOC, written for Original Equipment Manufacturers, contained the Concept macro.
Graham Cluley went on to note that, rather than being a prank: “Concept became the most widespread computer virus of any kind — largely because users were much more likely to exchange Word documents with their colleagues than floppy disks or .EXE files.”
For more technical details about how the Concept macro virus “succeeded,” and Microsoft’s fumbled attempts to solve the problem that its own macro design decisions created, I highly recommend Graham’s 2020 article: 25 years on, Microsoft makes another stab at stopping macro malware.
Another good source is the Virus Encyclopedia, which provides a technical analysis, and this description of how Concept’s “achievements” endured for several years:
"In addition to being the first Word macro virus, Concept was also the most common virus of its time. It started off a bit slow, accounting for less than 20% of all virus infections in the first half of 1996, then under one third in the second half of that year. Concept accounted for one half of all viruses reported at one point in the year 1997 and one third for the whole year." (Virus Encyclopedia)
Zoom forward to 2025 and you can get an ironic perspective on the history and mechanics of Microsft macros by asking a current Microsoft product, Copilot, about these topics. I did that, so you don’t have to, and put the results in this document (PDF): Microsoft Copilot on Word macro malware, security, and WordPerfect.
The infection effect
Like many cases of what could go wrong actually going wrong, this first round of Word macro virus woes impacted the lives of a lot of people. Imagine you’re a freelance tech journalist in the summer of 1995. You’re enjoying a coffee break after submitting your article about an important new software product to the business editor at a major magazine. The phone rings. It’s the editor and she is not happy! Apparently, your article, sent to her as a Microsoft Word document attached to an email, has messed up her computer. Not only that, it has messed up the copy editor’s computer, and her boss’s computer, and they all want answers!
Unfortunately, that was not an uncommon scenario during the autumn of 1995, thanks to this new and very infectious form of computer virus that Microsoft was digitally distributing to the world. The ensuing mayhem, the frantic efforts by Word users and IT departments to stop the virus spreading and clean up the mess it made when those efforts failed, was both expensive and ironic. I’m not aware of any other case of a software company spreading a highly infectious virus created with its own software and spread by its own product promotion materials.
At this point, I should point out that the original Concept macro virus did not try to do anything other than spread itself. In other words, although it was an expensive nuisance that created huge and headaches and unbudgeted costs for IT departments, it did not deliver a malicious payload.
What Concept did deliver was a template for malicious activity. Making your own version of Concept, one that executed further instructions, was relatively easy. Quite naturally, given what we know about human nature, people started to do that, and not just skilled programmers. Consider what one newspaper columnist wrote in September, 1995:
"Fifteen minutes after opening a Microsoft Word reference manual, I had cranked out a one-line program that could eliminate crucial system files from a hard drive. After an hour I had adapted the program to run automatically whenever anyone opened a file called HELPFUL.DOC."
The title of the column crisply conveys the breadth of the problem caused by Microsoft’s decision to combine content and code: “Easily created viruses make all files suspect”.
Incidentally, the writer of that column was Stephen Manes who went on to coauthor Gates: How Microsoft's Mogul Reinvented an Industry and Made Himself the Richest Man in America, widely considered the best-selling and definitive biography of Microsoft's founder, Bill Gates.
Microsoft’s gift to criminals
As I said earlier, the execution of malicious code that was made possible by Microsoft’s ill-advised approach to implementing macros constituted a whole new way for criminals to run their code on your computer, a capability that enables a vast array of different cybercrimes.
Hacking into just one computer can yield a lot of valuable data, processing power, connectivity, and unauthorized access, all of which can be exploited for crimes and malicious acts, as depicted by Brian Krebs in this classic diagram.
As Graham Cluley pointed out, before macros in document files, malicious code had to be embedded in an executable file. By 1994, diligent screening of all incoming executable files for dodgy code was proving to be a pretty good defense strategy. One reason for this was the operating system-specific nature of program code. An app written to be executed by the Microsoft Windows operating system could not be executed by an Apple Mac.
Microsoft’s deployment of code-executing cross-platform apps, like Word or Excel, changed all that, a change amplified over time by the shift from the floppy disk-based file-sharing that Graham Cluley noted, to sharing via email and network connections. The implications of this were highlighted in some of the early coverage of the ground-breaking and law-flaunting capabilities of Word macro viruses.
For example, this article published in Scientific American in November of 1995 emphasized the fact that Word macros might be leading the way for multiple types of malicious code that could run on more than one computing platform (e.g. Mac as well as Windows).
Something crimey this way comes
In part two of this article, I will continue the sorry saga of macro-malware exploitation as it evolved, through the nineties and into the noughties, to become a key enabler of ransomware in the twenty teens, and potentially forever after. Here are some some notable milestones:
the 1996 release of a macro virus that infected Microsoft Excel spreadsheets (Laroux)
the further expansion of macro programming capabilities in late 1996 when Microsoft’s Visual Basic for Applications (VBA) was introduced into Microsoft Word 97
the expansion of Microsoft’s office suite in 1999 to include email, promptly weaponised by the Melissa virus which accessed the user's Outlook address book and sent itself to the first 50 contacts therein, thereby hijacking one million email accounts
the use of Word doc macros to download and install ransomware, such as Locky which appeared in 2016 and quickly extorted more than $1 billion from victims
I will also show that three decades of lessons taught by Microsoft’s macro disaster are still being ignored, even as artificial intelligence (AI) is being deployed at scale, further proof that the male-dominated tech world continues to vastly underestimate the risks that it creates while overestimating human capacity to mitigate them.
Many cybersecurity experts are now pointing out that AI is effectively giving criminals and other malefactors an edge when it comes to abusing technology for their own ends. Even the widely used AI chatbot, ChatGPT, can see this. It recently stated the following in an open letter to world leaders:
"if cybercrime continues to outpace our collective response, AI will not be a tool of progress but a battlefield where innovation is stifled, trust is shattered, and lives are lost." (ChatGPT-5, 2025)
Despite all of this, Microsoft is now busy integrating Copilot, its AI product, into Word, Excel, Outlook and the rest of its office software (collectively Microsoft 365). And already we are seeing headlines like this on MSN: New Microsoft Copilot flaw signals broader risk of AI agents being hacked
Sure enough, researchers at a company called AIM Security found a vulnerability that “lets a hacker trigger an attack simply by sending an email to a user, with no phishing or malware needed. Instead, the exploit uses a series of clever techniques to turn the AI assistant against itself.”
And so it goes, trillion dollar companies pushing yet more productivity tools that can be turned against their users, brought to you by a male-dominated industry feverishly focused on profit and utterly bereft of empathy for those who suffer from the “pranks” that ensue. What a concept!
[Look for Macro virus mayhem part deux: AI rising, coming soon]
Notes and References
Harm and online crime: I have written and spoken quite a lot about the harmful effects of cybercrime and how they extend well beyond financial losses and into physical health and personal wellbeing. This work, including references to the supporting research, can be found by following links:
Cybersecurity and cybercrime: For more articles on these topics, going back many years, visit this blog where my partner and I have been posting about information security for 20 years.
Credentials: I have been working with, and writing about, computers since 1980 when I was hired to develop a digital reporting and auditing system for oil and gas production taxes using an IBM mainframe. I got my first personal computer in 1982 and by 1985 I was teaching IBM customers how to use the IBM PC. I wrote my first software handbook in 1987 (Using Reflex: the Database Manager, Osborne McGraw-Hill). Several more books followed, including these:
In the early 1990s I wrote a lot of software reviews and tutorials for the booming PC magazine market. During the 18-month period from July 1993 to the end of 1994, those magazines published 300,000 words by me about personal computer software, including 60,000 words on spreadsheets and 48,000 on word processors. (Those numbers are from my financial records because back then publishers paid you by the word.)
Background: This article started out as a brief reminder that it has now been 30 years since the first Microsoft Word macro virus was unleashed upon the world, a technology that has enabled criminals to carry out ransomware attacks against a wide range of companies, hospitals, universities, local and national governments, and NGOs. The story of how all this happened has always struck me as a classic example of how humans, mainly male humans, get technology wrong by failing to consider a question that is fundamental to sustaining the collective well-being of our species: what could possibly go wrong? This failure stems, in my opinion, from two factors: an excessive belief in one's own abilities; and a dearth of empathy for one’s fellow beings. These two factors are clearly at play in the development and deployment of many products referred to as being, or containing, artificial intelligence.
Audience: As I wrote this “brief reminder” I kept adding more details and context to make my account more accessible to a wider audience while also acceptable to readers already familiar with terms like macro virus and .EXE files. The result outgrew a reasonable length for a single article, hence the two-part approach.
[Look for Macro virus mayhem part deux: AI rising, coming soon]