Since the 90s, macro malware has been a big part of a hacker’s toolkit. Even in recent times, the technique has continued to endear itself to cybercriminals, with its simplicity, which makes malware infections easy to initiate.
Last month, Ukraine accused Russian government spies of uploading documents with macro malware to a Ukrainian government document-sharing website.
As the first wave of the COVID-19 pandemic kicked in last year, Microsoft warned its users of emails that contained Excel files with macro malware and for years now, has been using its Antimalware Scan Interface (AMSI) and Office 365, to crack down on macro malware.
Even with AMSI and Office 365, Microsoft’s successful efforts to stamp out macro scripts written in VBA (Visual Basic for Applications) ended up backfiring, as attackers reverted to an older macro language called XLM, used in Excel 4.0 in 1992.
Microsoft is now expanding the integration of Office 365 with AMSI to also scan for Excel 4.0 XLM macros at runtime. This will align AMSI with VBA.
AMSI allows apps to integrate with any antivirus on a Windows-run device and enable the antivirus to see and block several types of malicious scripts in Office documents.
There’s work left to be done
Microsoft says that its Defender anti-malware is using the integration to detect and stop XLM-based malware, with efforts to encourage other anti-malware companies to use the same feature too.
The software giant’s security teams explain that even though XLM is less sophisticated than VBA, it is adequate to achieve interoperability in an operating system. Many legitimate uses exist for it and are applied by organizations and users alike for positive ends.
Microsoft Excel now has XLM macros runtime inspection, which is enabled by default on the February Current Channel and Monthly Enterprise Channel for Microsoft 365 users.