Microsoft's finally disabling "security horror" Excel XLM macros by default

1992 wants its macros turned on.

Microsoft is gearing up to finally disable Excel 4.0 XLM macros by default in Microsoft 365 tenants, after years of rampant abuse. XLM macros are a legacy macro language introduced to Excel in 1992.

Although they have long been superceded by Microsoft-recommended VBA macros, Excel 40.0 macros remain used in some organisations for automating repetitive tasks and loading business data into Excel.

Windows admins can already disable Excel 4.0 macros by using group policies to kill off the feature. Many don't.

Analysis by security firm ReversingLabs of 160,000 Excel 4.0 documents between November 2020 and March 2021, found that over 90% were classified as malicious or suspicious. (They are widely used to distribute malware such as ZLoader and Quakbot.) Microsoft only integrated its Antimalware Scan Interface (AMSI) with Office 365 to include the runtime scanning of Excel 4.0 (XLM) macros in March 2021.

See also: Cybersecurity as a critical ESG framework category

A message posted to the Microsoft 365 message centre detailed the timing:

  • Insiders-Slow: will rollout in late Oct and be complete in early Nov
  • Current Channel: will rollout in early Nov and be complete in mid-Nov
  • Monthly Enterprise Channel (MEC): will begin and complete rollout in mid-Dec.

The setting "Enable XLM macros when VBA macros are enabled" will then be unchecked by default.

As Microsoft noted in March 2021 "XLM is powerful enough to provide interoperability with the operating system, and many organizations and users continue to use its functionality for legitimate purposes. Cybercriminals know this, and they have been abusing XLM macros, increasingly more frequently, to call Win32 APIs and run shell commands."

See also: From the Slack API to queued print jobs, C2 channels are getting tricksy