[TheRecord] Microsoft to disable Excel 4.0 macros, one of the most abused Office features

Microsoft plans to disable a legacy feature known as Excel 4.0 macros, also XLM macros, for all Microsoft 365 users by the end of the year, according to an email the company has sent customers this week, also seen by The Record.

Introduced in 1992 with the release of the Excel 4.0 software — from where the feature also gets its name — XLM macros allow users to enter complex formulas inside Excel cells that can execute commands, either inside Excel or the local filesystem.

While XLM macros were replaced with the release of Excel 5.0, which introduced VBA-based macros, support for this feature has remained inside the Office Excel software to this day.

Excel 4.0 macros have been widely abused over the past two years

As with most Office tools that allow basic scripting-like actions, the feature has been abused over the course of the past decades by both financially motivated groups and state-sponsored threat actors alike.

But the abuse has never been as rampant as it has been since early 2020 when several security researchers noted the sudden and unexplainable increased attention XLM macros had been getting from numerous top-tier threat actors.

Reports from VMWare, ReversingLabs, Lastline, MadLabs, Expel, DeepInstinct, and many others referenced a spike in malware strains and threat actors abusing XLM macros, used in anything from cyber-espionage to banking trojans, and from ransomware to cryptocurrency theft.

Image: Lastline

Microsoft, too, has been aware of this issue, and added XLM macro support to the Antimalware Scan Interface (AMSI) for Office 365 in March 2021 as a way to “to help antivirus solutions tackle the increase in attacks that use malicious XLM macros.”

However, over the summer months, several security researchers have publicly criticized Microsoft for leaving users exposed to attacks and asked more from the OS maker, namely, to disable the feature by default inside Office applications.

This way, they argued that the companies which rely on it could re-enable it for their employees while everyone else remained protected, in case they received an Excel file boobytrapped with a malicious XLM macro.

But while Microsoft is not disabling the feature for all users, it is taking steps to disable it, by default, for its paying customers, part of the Microsoft 365 service.

In an email sent to Microsoft 365 customers, Microsoft has laid out its plan to disable the feature across three stages:

Insiders-Slow: will rollout in late October and be complete in early November.Current Channel: will rollout in early November and be complete in mid-November.Monthly Enterprise Channel (MEC): will begin and complete rollout in mid-December.

I actually didn’t think I would live to see the day. https://t.co/THOad3oGrv

— just gigs (she/her) (@Gigs_Security) October 7, 2021

Customers who’d like to disable XLM (Excel 4.0) macros right now can follow the following steps.

With XLM macros disabled, researchers are now asking Microsoft to do the same for VBA macros as well.10All suggestions

The post Microsoft to disable Excel 4.0 macros, one of the most abused Office features appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[SecurityWeek] Microsoft: Russia Behind 58% of Detected State-Backed Hacks

All posts, Security Week

Russia accounted for most state-sponsored hacking detected by Microsoft over the past year, with a 58% share, mostly targeting government agencies and think tanks in the United States, followed by Ukraine, Britain and European NATO members, the company said. read more Source: Read More (SecurityWeek RSS Feed)

Read More

[ThreatPost] The Uncertain Future of IT Automation

All posts, ThreatPost

While IT automation is growing, big challenges remain. Chris Hass, director of information security and research at Automox, discusses how the future looks. Source: Read More (Threatpost)

Read More

[ThreatPost] Ransomware Sinks Teeth into Candy-Corn Maker Ahead of Halloween

All posts, ThreatPost

Chicago-based Ferrara acknowledged an Oct. 9 attack that encrypted some systems and disrupted production. Source: Read More (Threatpost)

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.