Microsoft has announced that Excel 4.0 (XLM) macros will now be disabled by default to protect customers from malicious documents.
In October, the company first revealed in an update to Microsoft 365 Message Center that it would disable XLM macros in all tenants if users or administrators had not manually enabled or disabled the feature.
From July 2021, Windows administrators can also use Group Policies and users the “Enable XLM macros when VBA macros are enabled” setting in the Excel Trust Center to disable this feature manually.
“In July 2021, we released a new Excel Trust Center configuration option to restrict the use of Excel 4.0 (XLM) macros”, noted Catherine Pidgeon, senior program manager at Microsoft, earlier this week in a Tech Community blog post.
“As expected, we have now made this setting the default when opening Excel 4.0 (XLM) macros. This will help our customers protect against related security threats.”
Administrators can configure how Excel macros are allowed to run using Group Policy settings, Cloud Policies, and ADMX policies.
They can also block all use of Excel XLM macros in their environments (including new user-created files) by enabling the “Prevent Excel from running XLM macros” Group Policy, configurable through the Policy Editor. group or registry key.
Currently, XLM macros are disabled by default in the September fork, Excel version 16.0.14527.20000 and later available in:
- Current channel versions 2110 or higher (first released in October)
- Enterprise Channel Monthly Releases 2110 or higher (first released in December)
- Semi-Annual Enterprise Channel (Preview) builds 2201 or more (first ships March 2022)
- Semi-annual releases of Enterprise Channel 2201 or higher (delivered July 2022)
Even though VBA-based macros were introduced with the release of Excel 5.0, threat actors still use them more than two decades later to create documents that deploy malware or perform other malicious behavior.
Malicious campaigns using XLM macros to push malware have been observed downloading and installing TrickBot, Zloader, Qbot, Dridex, and many other strains on victims’ computers.
Microsoft also quietly added Group Policy in October 2019 that allows administrators to prevent Excel users from opening untrusted (and potentially malicious) Microsoft Query files with the extensions IQY, OQY, DQY, and RQY.
These files have been weaponized in numerous malicious attacks to deliver remote access Trojans and malware loaders since early 2018.
