Microsoft disables Excel 4.0 macro support by default

[German]Good news in terms of security and Office, because Microsoft finally plugs a gateway for malware by disabling the default support for Excel 4.0 macros. This mitigates an announced and long overdue vulnerability.


Problem: Excel 4.0 macros

Excel 4.0  macros are an age-old braid, introduced in 1992 with Microsoft Excel 4.0. Users can directly insert macro commands into cells of a spreadsheet and then have them executed (an example can be found here). It is also possible to save these Excel 4.0 macros in Excel macro files (.xml files). However, Microsoft has already switched to the possibility of generating and executing macros as VBA code in Excel 5.0. This approach is also recommended, but support for Excel 4.0 macros has been maintained in all newer Office versions.

Cyber criminals abused this mechanism to spread malware to user systems via Excel 4.0 macros. The actors behind TrickBot, Qbot, Dridex, Zloader, etc. resort to Excel 4.0 macros as the primary downloader for their malware. Security vendors and companies such as VMware have been warning about this approach for some time, complaining about a huge increase in this infection route over the last two years.

Disabling of Excel 4.0 macros announced

I had addressed it in October 2021 in the blog post Microsoft disables Excel 4.0 macros in Office 365 in the next weeks. Users and administrators have been able to disable Excel 4.0 macros from running in Office 365 in the Trust Center settings since Fall 2021. The following schedule was in place:

  • Those using Office 365 as Insiders in the Slow Channel will receive this deactivation adjustment between late October and early November 2021.
  • For Office 365 users receiving updates via the Current Channel, the Excel 4.0 macros will be disabled from early to mid-November 2021.
  • All users who are in the Office 365 Monthly Enterprise Channel (MEC) will receive the deactivation of Excel 4.0 macros in mid-December 2021.

Microsoft even recommends disabling the macros in this support article. There are probably also group policies for this, although this approach probably has some pitfalls, because not all policies are available in all Office versions (see this German post). 

Microsoft also writes that users where these settings are managed via group policies or who have adjusted the settings in the Trust Center accordingly are not affected by the above changes. Any users who have not yet received this adjustment or want to disable Excel 5.0 macros immediately can find instructions in this Techcommunity post


Now Excel 4.0 macros are disabled

Now the colleagues from Bleeping Computer have spottet and mentioned first in this article, see also the following tweet.

Excel 4.0 Macros deactivated by default

Microsoft has announced it in the Techcommunity blog post Excel 4.0 (XLM) macros now restricted by default for customer protection, and says:

In July of 2021, we released a new Excel Trust Center setting option to restrict the usage of Excel 4.0 (XLM) macros. As planned, we have now made this setting the default when opening Excel 4.0 (XLM) macros. This will help our customers protect themselves against related security threats.

Excel 4.0 (XLM) macros are now disabled by default in Excel (build 16.0.14427.10000).  Administrators can also configure this setting via the existing policy control (requires the latest Office Administrative Template files) for Microsoft 365 applications or via Settings (see). Details can be found in the Techcommunity blog Excel 4.0 (XLM) macros now restricted by default for customer protection.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Office, Security and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *