Rage Against the Machine was at the top of the charts back when Microsoft first introduced the Excel4 Macros (XLM) feature in 1992 - a powerful scripting language that boosted the capabilities of its popular spreadsheet application.
Thirty years later, and faced with rampant exploitation of macros to place malware, the company said on January 19 that it was disabling support for XLM, in Excel by default. In that announcement, Microsoft said that the “restrict the usage of Excel 4.0 (XLM) macros” flag, first introduced in the Excel Trust Center in July 2021, will be enabled by default when opening Excel 4.0 (XLM) macros.
“This will help our customers protect themselves against related security threats,” the company said in its blog post at the time.
This week, the company went a step further. In an announcement on Monday, Microsoft said it was disabling XLM's successor, Visual Basic Application (VBA) macros, by default, as well - and for the entire Microsoft Office suite of applications: Excel, Access, Powerpoint, Word and Visio.
The change announced on Monday only affects Office apps on devices running Windows and will begin rolling out in Version 2203, in early April. Microsoft said it plans to eventually extend the policy to Office LTSC, Office 2021, Office 2019, Office 2016, and Office 2013, the company said.
Macro Use Linked to Malware
The recent moves by the Redmond, Washington firm come after years of warnings from security researchers, including at ReversingLabs. Reports, for example, have called out XLM’s prominent role in malicious campaigns that use Excel documents as bait. The highly-obfuscatable nature of the Excel 4 macro language makes it a lucrative tool for malware authors to insert malicious code and bypass security scanner detection. For example, Excel 4 Macros have been a common tool in the Cobalt Strike arsenal that attackers use to deploy pre-ransomware beacons and staging malware to circumvent security protections at the enterprise gateway.
[ Check out our on-demand webinar: How Dangerous File Uploads Disrupt Critical Business Web & Mobile Apps ]
ReversingLabs researcher Karlo Zanki wrote back in April that the correlation between malware and XLM in files analyzed in our TitaniumCloud platform is staggering. Specifically: ReversingLabs researchers identified almost 160,000 files in the company’s TitaniumCloud that use Excel 4.0 (XLM) macros. On close inspection, more than 90% were classified as malicious or suspicious. As Karlo observed at the time, the correlation was so strong that “if you encounter a document that contains XLM macros, it is almost certain that its macro will be malicious.”
XLM-based attacks are a common feature of attacks by malware families like ZLoader and Qbot (aka Qakbot or Quakbot). The threat actors behind these malware families distribute their payloads in Excel documents, then use social engineering to convince their targets to enable macros in order to decrypt the content.
But the threat isn’t limited to those two groups. Excel files using malicious macros were recently discovered distributing the Emotet malware, according to an alert from Symantec. On any given day, malicious files using XLM are being delivered via email and use social engineering to entice the recipient to enable macros when opening the attachment. When executed, the macro accesses command and control servers to download additional malware, Symantec said.
No more insecure by default with Excel, Office
In light of that, Microsoft’s decision to disable both XLM and VBA macros by default in Excel and other Office applications is welcome news.
Looked at from above: organizations previously had to take extra steps in order to protect themselves from macro attacks hidden in common Microsoft Office files. They will now be protected by default. At the same time, organizations that turned a blind eye to the problem of malicious macros will have to take extra measures to make themselves insecure. That may lead to uncomfortable conversations within IT departments that ultimately result in a more secure posture overall.
Under the new regime, according to Microsoft, a user who opens an attachment or downloads an untrusted Office file containing macros will encounter a message bar that displays a warning alerting them that the file contains Visual Basic for Applications (VBA) macros obtained from the Internet.
Clicking on a Learn More button will take them to an article containing information about the security risk of bad actors using macros, safe practices to prevent phishing and malware, and instructions on how to safely enable macros.
Moving the security needle
Unfortunately, even with XLM and VBA macros disabled by default, we may not see that much of a change in the use of Office files by malicious actors. For one thing, Microsoft has long recommended disabling macros by default in Office.
That means attackers are conditioned to expect that macros may be disabled on many systems of their intended victims.But they also know that, in practice, local policies to “harden” Excel, Access and other applications are often overridden to support special users or legacy applications.
And, even when macros are disabled, attackers work around that. ReversingLabs sees sophisticated social engineering features coded into phishing campaigns from groups spreading malware like Qbot that fool would-be victims into overriding security settings and enabling XLM for Excel attachments so the attack can continue.
Attackers mimic security features to trick users into enabling Excel macros
Looking at the bright side: having to resort to social engineering to enable XLM and VBA macros adds friction to the attack. By reducing the likelihood that recipients of phishing emails will have macros enabled to begin with, Microsoft has made it harder for malware groups to get their code running on victim systems.
Office macros and the curse of legacy code
A more important question, given the data around malicious use of XLM and VBA macros, is: “why did it take 30 years for Microsoft to make this change?”
The culprits, of course, are “legacy applications.” As the dominant desktop operating system and office productivity vendor since the 1990s, Microsoft has had to maintain countless technologies and protocols far beyond their useful life simply to continue serving customers with internal applications and processes that rely on those legacy technologies. Yes, disabling support for tools like XLM and VBA macros is the smart security choice. But doing so would unleash havoc at Microsoft customer sites, as code lodged deep within enterprise applications and networks suddenly breaks. That’s a price Microsoft does not want to pay.
We can see this dynamic at work with some of Redmond’s other legacy technologies, as well. For example: security experts have long recommended that Microsoft end support for the NTLM (NT LAN Manager) protocol because of its susceptibility to trivial attacks like “Pass the Hash” and “Pass the Ticket,” that facilitate lateral movement by malicious actors. However, Microsoft continues to support NTLM, largely because of its continued and widespread use in legacy Windows applications and networks.
Solving the larger issues that allow insecure technologies and protocols to persist in modern organizations would help blunt phishing attacks and malware. Microsoft’s latest move to displace Excel 4 macros are a step in the right direction - but only a step.
In the meantime, the long tail of cyber risk linked to Excel4 and VBA macros should be a cautionary tale for contemporary application developers. Namely: the benefits of powerful new features should be balanced against a sober consideration of the risk(s) they introduce. That’s especially true given the contemporary API-driven economy, where open platforms, data sharing and interactivity are driving investment and development. The steady rise in API-based threats and attacks suggests that the old adage about those who “fail to learn from history” holds true.
Questions? Talk to ReversingLabs
ReversingLabs continuously improves its detection mechanisms to keep up to date with malware trends. That includes threats related to XLM and VBA macros. ReversingLabs Titanium platform combines Explainable Machine Learning technology with static analysis to reliably identify and extract Excel 4.0 and other indicators at scale. That allows our customers to detect such threats in their environment quickly and before they allow malicious actors to extend their reach within compromised networks.
Don’t hesitate to contact us if you’d like to learn more about how we help organizations combat threats like malicious Excel4 macros or to schedule a demonstration.
- Stay up to speed on supply chain threat research
- See deminar: Detecting malware packages: PyPI and open source threats
- Learn key trends, what's ahead: The State of Supply Chain Security 2022-23
- Open-source YARA rules: Put them into action against ransomware
- Learn more about software supply chain security
- The NVD must evolve: Learn how and why with our free report
- Get a free SBOM and supply chain risk report