Microsoft has announced that macros in Excel 4.0 (XLM) are now disabled by default to protect users from malicious documents.The fact is that attackers still use XLM macros for their attacks and create documents that deploy malware, and current versions of Microsoft Office still support such macros. Malicious campaigns using such macros can distribute TrickBot, Zloader, Qbot, Dridex and other similar malware.
The Bleeping Computer edition recalls that back in October 2021, the company first announced that it would disable XLM macros, but users and administrators would be able to manage them manually.
So, starting in the summer of 2021, administrators can use Group Policies and users can use the “Enable XLM macros when VBA macros are enabled” setting from the Excel Trust Cente to manually disable this feature.
Administrators can control who and how is allowed to run macros in Excel using Group Policy, cloud policies, and ADMX policies. They can also block the use of all Excel XLM macros at all (including new files created by users) by enabling the “Prevent Excel from running XLM macros” group policy.
Currently, XLM macros are disabled by default in the September fork, in Excel version 16.0.14527.20000 and newer.
XLM macros (also known as Excel 4.0) were the default Excel macro format until Excel 5.0 was released in 1993, when Microsoft first introduced VBA macros, which is still the default format today.
However, even though it has been discontinued, attackers are still using XLM three decades later to create documents that deploy malware or perform other malicious actions by manipulating files on the local file system because current versions of Microsoft Office still support XLM macros.
Malicious campaigns using this type of macro to spread malware have been seen downloading and installing TrickBot, Zloader, Qbot, Dridex, and many other strains on victims’ computers.
Let me remind you that we also wrote that Disabling macros in Microsoft Office for Mac puts users at risk of attack, and also that 0-day vulnerability in Microsoft MHTML is exploited to attack Office 365 users.
User Review( votes)