Microsoft to disable Excel 4.0 macros, one of the most abused Office features
Catalin Cimpanu October 7, 2021

Microsoft to disable Excel 4.0 macros, one of the most abused Office features

Microsoft to disable Excel 4.0 macros, one of the most abused Office features

Microsoft plans to disable a legacy feature known as Excel 4.0 macros, also XLM macros, for all Microsoft 365 users by the end of the year, according to an email the company has sent customers this week, also seen by The Record.

Introduced in 1992 with the release of the Excel 4.0 software — from where the feature also gets its name — XLM macros allow users to enter complex formulas inside Excel cells that can execute commands, either inside Excel or the local filesystem.

While XLM macros were replaced with the release of Excel 5.0, which introduced VBA-based macros, support for this feature has remained inside the Office Excel software to this day.

Excel 4.0 macros have been widely abused over the past two years

As with most Office tools that allow basic scripting-like actions, the feature has been abused over the course of the past decades by both financially motivated groups and state-sponsored threat actors alike.

But the abuse has never been as rampant as it has been since early 2020 when several security researchers noted the sudden and unexplainable increased attention XLM macros had been getting from numerous top-tier threat actors.

Reports from VMWare, ReversingLabs, Lastline, MadLabs, Expel, DeepInstinct, and many others referenced a spike in malware strains and threat actors abusing XLM macros, used in anything from cyber-espionage to banking trojans, and from ransomware to cryptocurrency theft.

XLM-lastline
Image: Lastline

Microsoft, too, has been aware of this issue, and added XLM macro support to the Antimalware Scan Interface (AMSI) for Office 365 in March 2021 as a way to “to help antivirus solutions tackle the increase in attacks that use malicious XLM macros.”

However, over the summer months, several security researchers have publicly criticized Microsoft for leaving users exposed to attacks and asked more from the OS maker, namely, to disable the feature by default inside Office applications.

This way, they argued that the companies which rely on it could re-enable it for their employees while everyone else remained protected, in case they received an Excel file boobytrapped with a malicious XLM macro.

But while Microsoft is not disabling the feature for all users, it is taking steps to disable it, by default, for its paying customers, part of the Microsoft 365 service.

In an email sent to Microsoft 365 customers, Microsoft has laid out its plan to disable the feature across three stages:

  • Insiders-Slow: will rollout in late October and be complete in early November.
  • Current Channel: will rollout in early November and be complete in mid-November.
  • Monthly Enterprise Channel (MEC): will begin and complete rollout in mid-December.

Customers who’d like to disable XLM (Excel 4.0) macros right now can follow the following steps.

With XLM macros disabled, researchers are now asking Microsoft to do the same for VBA macros as well.10All suggestions

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.