Microsoft has disabled Excel 4.0 macros by default in the latest release of its spreadsheet software to help customers protect themselves against related security threats.
That setting, released as an optional configuration in Excel Trust Center setting in July, is now the default when opening Excel 4.0 macros (XLM), Microsoft said in a blogpost.
A macro is a series of commands that you can use to automate a repeated task, and can be run when you have to perform the task. But unexpected macros can pose a significant security risk. You don't have to enable macros to see or edit the file; only if you want the functionality provided by the macro. But crooks will try to trick the unwary into enabling macros and then using that functionality as part of their attacks.
The move to restrict Excel 4.0 macros is an attempt to counter a rise in ransomware and other malware groups using Excel 4.0 macros as part of an initial infection. State-sponsored and cybercriminal attackers started experimenting with legacy Excel 4.0 macros in response to Microsoft in 2018 cracking down on macro scripts written in Visual Basic for Applications (VBA).
The initial Excel Trust Center settings targeted organizations that wanted VBA and legacy macros to run via the setting "Enable Excel 4.0 macros when VBA macros are enabled". This allowed admins to control the behavior of macros without impacting VBA macros.
Macros are now disabled by default in Excel in build 16.0.14427.10000 and later. Admins can still configure the setting in Microsoft 365 applications policy control.
Microsoft has added some new policy settings options to the original Group Policy settings that were made available in July.
Now there is also the option to manage the policy setting in the Office cloud policy service, which is applied to users who access Office apps from any device with their Active Azure Directory (AAD) account. The policy can also be managed from Microsoft Endpoint Manager.
To block XLM across the board, including new files created by users, admins can set Group Policy to "Prevent Excel from running XLM". This can be done via Group Policy Editor or registry key.
This should help admins mitigate VBA and XLM malware threats using policy. Microsoft has addressed the antivirus side of defense via an integration between its Antimalware Scan Interface (AMSI) and Office 365 that Defender and third-party antivirus can integrate with.
The AMSI-Office 365 integration allowed scanning of Excel 4.0 macros at runtime last year, bringing it in line with the same runtime scanning capability for VBA macros in 2018. Basically, when VBA runtime scanning for Excel arrived, attackers moved to older XL-based macros, which they knew organizations still used for legitimate purposes and were powerful enough to call Win32 interfaces and run shell commands.