Last week, Microsoft announced plans to disable Excel 4.0 macros for all Microsoft 365 customers, starting in early November. Also known as XLM, Excel 4.0 macros have been a part of Microsoft’s Office Suite for almost thirty years. And in that time they’ve become a favourite attack vector for cyber criminals of all stripes. We sat down with Senior Threat Researcher Daniel Blackford to find out more about why macros are such a popular target and why Microsoft is taking such a drastic step to curtail the threat.
According to Blackford, it’s worth remembering that there are still plenty of legitimate uses for macros, and that users will still have the option to re-enable them. “Macros make a set of steps repeatable, often at the press of a single button,” he says. “They’re a kind of rudimentary automation and there are plenty of people who use them safely every day.”
But while they make life easier for accountants who want a simple way to format a workbook or run a set of common calculations, the way macros work also introduces a significant element of risk. “These capabilities are enabled by a scripting language that provides access to core operating system features,” Blackford notes. “So, they can run Windows API functions and shell commands, which basically means a macro can reach out to the internet, download a hosted file and then execute it.” In other words, if your macro was written by a cyber criminal, they’ve probably used it to automate the process of infecting your machine with malware.
The huge install base of Microsoft Office coupled with the simplicity of this approach has made Excel macros a popular means of attack. “Aside from straightforward credential phishing, malicious macros are the most common form of attack we see,” says Blackford. “Almost every actor distributing banking trojans and botnets at scale is using them.” In fact, even innovative tactics like the call centre campaigns we’ve reported on recently still ultimately use a malicious Excel macro as their distribution vehicle.
Users might think that browser-based cloud versions of Office software are safer than their desktop counterparts, but according to Blackford, this would be a mistake. “Cloud versions of Word and Excel are still capable of running macros,” he says. “They tend to mirror the desktop application as closely as possible. But even pure web-based services like Google Docs have macro capabilities. In Google’s case the scripting language is based on JavaScript, and it’s never a good idea to let unknown users run JavaScript on your machine!”
So, will disabling Excel 4.0 macros cause this vulnerability to disappear? According to Blackford, it’s unlikely. “Excel also uses another kind of macro called VBA, and these will continue to be functional. Last year they were actually more popular with threat actors than the old format, though last year Excel 4.0 macros really blew up again. That might be why Microsoft finally decided it had to do something.”
Blackford ends the conversation with the same advice he’s been giving customers for years. “In cyber security, once you’ve taken care of the technical vulnerability you still have to address the human factor. In this case, we pretty simply need to train people to never click the button that says ‘Enable Macros’. Being aware of the risk is half the battle.”
Learn More
To learn more, check out the new Proofpoint Threat Hub, your home for the latest threat research and insights.