Microsoft Excel is making a big change to protect against malware

Someone using Excel on a Laptop.
(Image credit: Microsoft)

Excel 4.0 (XLM) macros are now disabled by default, Microsoft has confirmed. In a Tech Community blog post, the company revealed that the change has been made to better protect users against “related security threats” coming through spreadsheets.

Back in July 2021, the company released a new Excel Trust Center setting option, allowing administrators to restrict the usage of Excel 4.0 (XLM) macros. It has now made this option default for everyone.

Administrators can use existing Microsoft 365 applications policy control to configure this setting, the announcement reads. The Group Policy setting “Macro Notification Settings” for Excel can be found in the following path and registry key:

Group Policy Path: User configuration > Administrative templates > Microsoft Excel 2016 > Excel Options > Security > Trust Center.

Registry Key Path: Computer\HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Office\16.0\excel\security

Malicious actors often abuse macros

Furthermore, administrators can manage this policy setting with both cloud policies, and ADMX policies. They can also completely block all XLM macro usage, including in new user-created files, by enabling the Group Policy, “Prevent Excel from running XLM macros”, Microsoft added. 

Excel 4.0 (XLM) macros were the default format until 1993, and even though they’ve since been discontinued, they can still be run by the latest versions of the Office program. That makes them ideal for threat actors, who’ve been abusing them to push malware such as TrickBot, Zloader, Qbot, Dridex, ransomware, and many other malicious programs, BleepingComputer reminds. 

The publication also reminds that in October 2019, Microsoft added a new Group Policy, allowing administrators to block Excel users from opening untrusted Microsoft query files with IQY, OQY, DQY and RQY extensions. It claims that these files have been weaponized in “numerous malicious attacks”, to deliver remote access Trojans and malware, for years. 

XLM is disabled by default in version 16.0.14527.20000+, current Channel builds 2110 or greater, monthly Enterprise Channel builds 2110 or greater, semi-annual Enterprise Channel (Preview) builds 2201 or greater, and semi-annual Enterprise Channel builds 2201 or greater (coming this July).

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.