Three decades ago, Microsoft released Excel 4.0 with support for XLM macro files. A firm favourite with threat actors, XLM macros can be easily subverted to drop malware onto a victim’s computer through email campaigns that deliver malicious Office365 documents such as fake invoices and reports. Microsoft has now announced that XLM macros will be disabled by default from some customers by Christmas.
During 2020 there was a noticeable spike in the use of XLM macros by threat actors. Microsoft responded in March 2021 by expanding the Antimalware Scan Interface (AMSI) to include the scanning of XLM macros at run time – allowing security software to try to identify malicious macros. Later in the summer the Excel Trust Centre was updated to allow XLM macros to be disabled all together – while still leaving the option to enable VBA macros.
Now Microsoft has advised Microsoft 365 admins that XLM macros will be disabled by default for all tenants unless they have a group policy in place that overrides the setting.
All users of Excel are recommended by Microsoft to visit the Trust Centre and ensure VBA and XLM macros are disabled unless they are needed for specific business purposes.