At long last, Excel v4 macros are being blocked from running in Excel 365 by default. A move that greatly reduces the security risk from infected attachments in Excel 365 and Excel 2021.
Excel v4 macros are a very old form of programming, literally 30 years old. It allowed macros to be embedded into cells. They were replaced with Visual Basic for Applications (VBA) but continue to be supported to this day.
Those old macros are a security nightmare. When 4.0 macros were developed, Microsoft gave no thought to security or dismissed dangerous workbooks as merely ‘prank macros’.
Microsoft has slowly, too slowly in our view, moved to disable Excel 4.0 macros in worksheets.
They started in early 2021 by adding an option to enable Excel 4.0 macros alongside VBA. File | Options | Trust Center | Trust Center Settings | Macro Settings | Enable Excel 4.0 macros when VBA macros are enabled.
The safe choice is to UNcheck this option and allow VBA to operate but not the older macros.
This option to disable Excel 4.0 macros is in Excel 365 and Excel 2021.
Excel 4.0 macros now off by default
In early 2022, Microsoft has gone a step further by disabling Excel 4.0 macros by default.
In other words, the “Enable Excel 4.0 macros when VBA macros are enabled.” option is now OFF unless you choose to turn it on (not a good idea).
Administrator option: “Prevent Excel from running XLM macros”
As usual, IT admins have the power to enforce or override the default settings via a Group Policy or Registry.
Group Policy
User configuration | Administrative templates | Microsoft Excel 2016 | Excel Options | Security | Trust Center
Look for “Prevent Excel from running XLM macros”
Registry Key
Path: Computer\HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Office\16.0\excel\security\
Look for “Prevent Excel from running XLM macros”
New defence against an old problem, Excel XLM Macros