New defence against an old problem, Excel XLM Macros

Microsoft has added more protections against nasty Excel 4.0 macros aka XLM macros.

XLM or Excel 4.0 macros are an older pre-VBA system that’s still available in modern Excel 365 for Windows and Mac. XML macros have been around since 1992 but gradually replaced by VBA which debuted only a year later.

Excel 4 macros have been a ‘blind spot’ for Microsoft security, ignored for too long. It’s been left available for hackers, long after the vast majority of customers have moved to VBA. More likely customers only ever used VBA for Excel automation, unaware that the legacy technology even existed.

In the last few years, hackers have taken advantage of Microsoft’s lapse and used documents with Excel 4.0 macros to infect computers.

It’s not just old format .xlm files that can carry Excel 4 malicious macros. SLK files (another obsolete but still supported format) can also include 4.0 macros, which has been another Microsoft security blindspot.  SLK files could bypass macro security in Excel for Mac

Even last year, SLK files were being used to infect via Excel for Windows.  SLK files could be opened, and code run without going into Protected View or other virus blocks.

Runtime checking

Finally, Microsoft is adding better runtime checks for whatever XLM macros try to do.

Antimalware Scan Interface or AMSI works by checking what code tries to do to a computer when the code runs.  Calls to the operating system and intercepted and checked against known malicious behavior.

Source: Microsoft

Runtime checks ignore attempts to hide the malicious code with hard to read obfuscation.  AMSI checks what a macro does, not how it reads.

Amazingly, it’s taken until 2021 for Microsoft’s main security tool to properly protect against their own technology that’s almost 30 years old.

These new tools will be included with Microsoft Defender AntiVirus, Defender Endpoint and Microsoft 365 Apps.

SLK files used to hack into Excel, again
Microsoft Office ‘old’ format file extension list
Office for Mac long-standing security bug revealed