Microsoft has announced that it plans to disable a legacy feature called “Excel 4.0 macros” (XLM macros) for all Microsoft 365 users by the end of the year.
XLM macros are a feature introduced in Excel 4.0, released in 1992, that allows you to enter complex formulas in Excel cells and execute commands in Excel or in the local file system.
The XLM macro was replaced in the Excel 5.0 release with the introduction of VBA-based macros, but this functionality is still supported within the Office Excel software.
Excel 4.0 macros have been widely abused over the past two years
However, this feature has been exploited over the past few decades by both financially motivated and state-sponsored threat groups.
Many researchers, including VMWare, ReversingLabs, Lastline, MadLabs, Expel, DeepInstinct, and others, have reported a rapid increase in the number of malware types and threat groups that exploit XLM macros.
These malware have been used for everything from cyber espionage to banking Trojans, ransomware to cryptocurrency theft.
Microsoft is also aware of this issue and has added support for XLM macros to the Antimalware Scan Interface (AMSI) in Office 365 in March 2021.
“To help antivirus solutions tackle the growing number of attacks that use malicious XLM macros.
However, several security researchers have criticized Microsoft for leaving users exposed to attacks and called for disabling this feature by default within Office applications.
This way, they argued, other users would remain protected even if they received an Excel file with malicious embedded XLM macros, and companies that rely on this feature could re-enable it for their employees.
However, Microsoft has taken steps to disable this feature by default for paying customers who are part of the “Microsoft 365” service, although it is not disabled for all customers.
In an email sent to Microsoft 365 customers, Microsoft outlined a three-step plan to disable this feature.
- Insider Throws: will begin in late October and be completed in early November.
- Current Channels: Rolled out in early November and will be completed in mid-November.
- MEC (Monthly Enterprise Channel): Rollout will begin in mid-December and will be complete.
Customers who want to disable XLM (Excel 4.0) macros right now can follow these steps to set them up
You can configure the Trust Center in Excel by following the steps below.
File > Options > Trust Center > Trust Center Settings > Macro Settings
If you select the checkbox, the above settings set for VBA macros will also be applied to XLM macros.
To disable XLM macros without notification, please unset the checkbox (recommended)
This release has no impact on the default or previous macro settings, but please note that the default XLM macro behavior will change soon