Microsoft Office has supported ActiveX for years as an option for document extension and automation, but it's also a serious security vulnerability. Now, Microsoft is finally starting to disable ActiveX in Microsoft 365 apps, following a similar move with the Office 2024 suite last year.
Important Security Changes
Starting this month, Windows versions of Microsoft Word, Excel, PowerPoint, and Visio in Microsoft 365 will disable all ActiveX content by default without displaying a notification. The Mac and web versions of Office have never supported ActiveX.
" The previous default setting allowed users to enable potentially dangerous ActiveX controls, which could be exploited by hackers through social engineering or malicious files. The new default setting is more secure because it completely blocks these controls, reducing the risk of malware or unauthorized code execution, " Microsoft said in a blog post.
This change was rolled out in Microsoft Office 2024, but now it will apply to subscription-based Microsoft 365 apps as well. The feature is currently available on the Beta Channel for Version 2504 (Build 18730.20030) and later and will roll out to all Windows users soon.

ActiveX is not completely removed
It's important to note that ActiveX has not been completely removed from Office applications. Some organizations may still have it enabled, and individual accounts can re-enable it by going to:
File > Options > Trust Center > Trust Center Settings > ActiveX Settings > Prompt me before enabling all controls with minimal restrictions .
Microsoft released the first version of ActiveX in 1996, allowing web pages in Internet Explorer and Office documents to embed complex code and interactive content. For example, ActiveX can create buttons and checklists in Office documents that can modify the document or perform external actions when clicked.
While ActiveX has some legitimate uses, it is more notorious for phishing and malware attacks. There have been multiple security vulnerabilities in ActiveX that allow a seemingly innocent Word or PowerPoint document to change Windows settings and files. It is also a frequent security and privacy threat in Internet Explorer and has never made it to Microsoft Edge.
Microsoft previously updated Office applications to not automatically run ActiveX content, but some malicious files can still trick users into clicking the "Enable Content" button. Microsoft removing this option by default should help reduce attacks, while still allowing ActiveX to run if absolutely necessary.
This change appears to be the final step before ActiveX is removed from Office entirely, but it's unclear when (or if) that will happen. Some documents only work properly with ActiveX, and Microsoft's new Add-ins platform isn't a complete replacement.
Disabling ActiveX is another step in Microsoft's efforts to reduce security risks, especially as phishing and malware attacks become more sophisticated.