[TheRecord] Microsoft to disable Excel 4.0 macros, one of the most abused Office features

Microsoft plans to disable a legacy feature known as Excel 4.0 macros, also XLM macros, for all Microsoft 365 users by the end of the year, according to an email the company has sent customers this week, also seen by The Record.

Introduced in 1992 with the release of the Excel 4.0 software — from where the feature also gets its name — XLM macros allow users to enter complex formulas inside Excel cells that can execute commands, either inside Excel or the local filesystem.

While XLM macros were replaced with the release of Excel 5.0, which introduced VBA-based macros, support for this feature has remained inside the Office Excel software to this day.

Excel 4.0 macros have been widely abused over the past two years

As with most Office tools that allow basic scripting-like actions, the feature has been abused over the course of the past decades by both financially motivated groups and state-sponsored threat actors alike.

But the abuse has never been as rampant as it has been since early 2020 when several security researchers noted the sudden and unexplainable increased attention XLM macros had been getting from numerous top-tier threat actors.

Reports from VMWare, ReversingLabs, Lastline, MadLabs, Expel, DeepInstinct, and many others referenced a spike in malware strains and threat actors abusing XLM macros, used in anything from cyber-espionage to banking trojans, and from ransomware to cryptocurrency theft.

Image: Lastline

Microsoft, too, has been aware of this issue, and added XLM macro support to the Antimalware Scan Interface (AMSI) for Office 365 in March 2021 as a way to “to help antivirus solutions tackle the increase in attacks that use malicious XLM macros.”

However, over the summer months, several security researchers have publicly criticized Microsoft for leaving users exposed to attacks and asked more from the OS maker, namely, to disable the feature by default inside Office applications.

This way, they argued that the companies which rely on it could re-enable it for their employees while everyone else remained protected, in case they received an Excel file boobytrapped with a malicious XLM macro.

But while Microsoft is not disabling the feature for all users, it is taking steps to disable it, by default, for its paying customers, part of the Microsoft 365 service.

In an email sent to Microsoft 365 customers, Microsoft has laid out its plan to disable the feature across three stages:

Insiders-Slow: will rollout in late October and be complete in early November.Current Channel: will rollout in early November and be complete in mid-November.Monthly Enterprise Channel (MEC): will begin and complete rollout in mid-December.

I actually didn’t think I would live to see the day. https://t.co/THOad3oGrv

— just gigs (she/her) (@Gigs_Security) October 7, 2021

Customers who’d like to disable XLM (Excel 4.0) macros right now can follow the following steps.

With XLM macros disabled, researchers are now asking Microsoft to do the same for VBA macros as well.10All suggestions

The post Microsoft to disable Excel 4.0 macros, one of the most abused Office features appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ZDNet] Volume of cyber intrusion activity globally jumped 125%: Accenture

All posts, ZDNet

The security company found that 54% of all ransomware or extortion victims were companies with annual revenues between $1 billion and $9.9 billion. Source: Read More (Latest topics for ZDNet in Security)

Read More

[BleepingComputer] Windows 10 KB5005101 Cumulative Update released with 34 fixes

Microsoft has released the optional KB5005101 Preview cumulative update for Windows 10 2004, Windows 10 20H2, and Windows 10 21H1 with fixes for thirty-four issues. […] Source: Read More (BleepingComputer)

Read More

[SecurityWeek] Swedish Public Health Agency Says Disease Database Targeted in Cyberattacks

All posts, Security Week

The Swedish Public Health Agency (Folkhälsomyndigheten) is currently investigating several attempts to hack into SmiNet, a database that stores reports of infectious diseases, including COVID-19 cases. read more Source: Read More (SecurityWeek RSS Feed)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.