News

Excel Subscriptions Getting XLM Macro Blocking by Default

• By Kurt Mackie
• 01/20/2022

Microsoft is starting to enable the restriction of Excel 4.0 macros (XLM) by default for users of Excel in subscriptions, starting with Excel build 16.0.14427.20000 and newer releases, according to a Wednesday announcement.

The XLM macro format is an old one that's been used in malware attacks, which typically occur by attaching Office document files containing these macros in e-mails. Now, the XLM format is starting to get disabled by default in Excel.

Here's Microsoft's timeline for when the XLM macro restrictions will occur for Excel users:

XLM is disabled by default in the September fork, version 16.0.14527.20000+

• Current Channel builds 2110 or greater (first released in October)
• Monthly Enterprise Channel builds 2110 or greater (first released in December)
• Semi-Annual Enterprise Channel (Preview) builds 2201 or greater (we create this in January 2022, but it first ships in March 2022)
• Semi-Annual Enterprise Channel builds 2201 or greater (will ship July 2022)

Microsoft Changes Tactics
The disablement of the XLM macro format by default in Excel represents a kind of quick change in approach by Microsoft.

For instance, Microsoft had explained back in July that it was recommending organizations use a new checkbox setting, called "Enable Excel 4.0 macros when VBA macros are enabled," in the Trust Center, rather than just disabling XLM macros altogether. This setting "allows users to individually configure the behavior of XLM macros without impacting VBA [Visual Basic for Applications] macros."

That July recommendation apparently became the default setting for Microsoft 365 subscribers. However, Microsoft seems to have since moved away from it, and now the default setting simply disables XLM macros.

Here's how that change in policy was explained in the Wednesday announcement:

This setting [the one set by default back in July] now defaults to Excel 4.0 (XLM) macros being disabled in Excel (Build 16.0.14427.10000). Per the original blog post, Administrators can also use the existing Microsoft 365 applications policy control to configure this setting. Get the latest Office Administrative Template files.

Antimalware Scan Interface Added, Too
The XLM macro format is an old format from 1992 that was introduced a year before the release of Visual Basic for Applications. Macros in XLM format can be used for malicious purposes using so-called "trigger functions," Microsoft has explained.

Back in March, Microsoft had described how its integration of its Antimalware Scan Interface (AMSI) solution used with Office 365 applications provided a check on the use Excel 4.0 XLM macros. That announcement also explained that ZLoader malware had been using XLM macros as an "infection vector of choice." Microsoft began adding AMSI scanning to Microsoft 365 subscriptions back in February.

Active Content Blocking Controls
It's not just Excel that will be clamping down on old macro use in attached Office documents. Microsoft has more general plans for "active content" blocking.

For instance, Microsoft announced in December that it was changing the policy for so-called "Trusted Documents" for Office 365 and Microsoft 365 subscribers to permit IT pros to block "active content" in Office documents, as typically received via e-mail. The new policy control, said to arrive in "early February 2022," will let IT pros set policies that end users can't bypass, Microsoft promised.