Microsoft restricts Excel 4.0 macros by default

The awaited update will finally minimize security threats

Microsoft restricts Excel 4.0 macros by defaultXLM macros have been used for malware delivery since the '90s

In July of 2021, Microsoft has released a new Excel Trust Center setting option to restrict the usage of Excel 4.0 (XLM) macros. However, this still did not give enough comfort for many Excel users. Microsft has now made this setting the default when opening Excel 4.0 (XLM) macros. This will help a lot of people to keep their Windows systems safe from cyber attacks.

Hopefully, the Excel gateway has been closed for cybercriminals and we will not hear about major malware attacks in the future. The new setting now defaults macros being disabled in Excel (Build 16.0.14427.10000), so users that have older builds should update if they want the new feature without having to look for it in the settings.

Now administrators will also have the option to completely block all XLM macro usage by enabling the Group Policy, “Prevent Excel from running XLM macros”, which is configurable via Group Policy Editor or registry key. This should help administrators mitigate VBA[1] and XLM malware threats using policy. Microsoft has also addressed the antivirus side of defense via an integration between Antimalware Scan Interface (AMSI)[2] and Office 365 which Windows Defender and third-party antivirus software can merge with.

Microsoft turns off XLM after three decades of macro viruses

Excel 4.0 macros have been a potential gateway for malware since their introduction in 1992. They provided the ability to add commands into spreadsheet cells that could be executed to perform tasks. Unfortunately, it was quickly found that they could be used to perform malicious tasks just like any code. Since then, office documents have been used for ransomware, trojan, and other types of malware delivery into Windows systems.

Cybercriminals always preferred Office macros because they gave the opportunity to spread malware reliably, without having to exploit any vulnerabilities. XLM (aka Excel 4.0) macros have been used by many well-known malware families, like ZLoader, TrickBot, BitRat, QBot, Dridex, FormBook, and StrRAT. Many people fail to understand why Microsoft has waited so long to disable XLM macros since they were not even used by the majority.

One begs the question of if trying to make every single Excel user disable macros individually for so many years instead of disabling them by default, means that Microsoft has been putting off this serious issue for no good reason. Microsoft knew that it was causing a lot of damage for many Windows users but chose to keep XLM macros enabled even though most people use VBA macros anyway.

Why you should stop using XLM macros altogether

XLM macros were the default Excel macro format until Excel 5.0 was released in 1993 when Microsoft introduced VBA macros which are still the default format. One of the main things that make XLM and VBA macros different is COM (Component Object Model).[3] Because it was developed later than XLM macros, they cannot interact with it. Another important thing to consider is that VBA maldocs are frequently detected by antivirus tools while XLM maldocs are not.

The reason behind this is that XLM macros are stored completely differently than VBA macros in Excel files. XLM maldocs end up in a blind spot and cannot be detected, analyzed, or stopped by security tools. This is why threat actors can use XLM to create documents that deploy malware or perform other malicious tasks by manipulating files on the local file system.[4]

XLM macros are tucked away in an XML file in the subdirectory macro sheets. In older versions of Excel, Excel 4.0 macros are embedded in the Workbook OLE stream, while VBA macros are stored in a separate container. No wonder why many Excel users have been begging Microsoft to make this change. Hopefully, the era of macro malware in Excel is officially over.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions