Excel 4.0 (XLM) is an old macro language which Microsoft released for Excel back in 1992. Although it is a legacy language and most organizations have since migrated to Visual Basic for Applications (VBA), some continue to use XLM because of its functionalities and interoperability with the OS. Microsoft has noticed that due to its continued use, malicious actors have started to abuse XLM macros more frequently, which is why the company is now enabling runtime inspection of XLM code in Microsoft Excel.
Microsoft's Antimalware Scan Interface (AMSI) was already integrated with VBA back in 2018 and has been very successful in exposing and stopping malware attacks dependent upon the particular technology. Naturally, malicious actors have recently shifted focus to relatively less secure technologies such as XLM to call Win32 APIs and run shell commands for their activities. As such, Microsoft is now enabling runtime inspection of XLM code in Office 365 applications such as Excel.
Multiple tools and antivirus solutions can utilize AMSI to request scans of data to detect potential threats. The Redmond tech giant uses it heavily with Microsoft Defender for Endpoint for threat detection in various applications such as Office VBA macros, JScript, VBScript, PowerShell, WMI, dynamically loaded .NET assemblies, and MSHTA/Jscript9.
Microsoft has noted that this new integration with XLM is essential, saying that:
Like VBA and many other scripting languages abused by malware, XLM code can be obfuscated relatively easily to conceal the real intent of the macro. For example, attackers can hide URLs or file names of executable files from static inspection through simple strings manipulations. Attackers also take advantage of the way macro code persists within the Excel document—while VBA macros are stored in a dedicated OLE stream (and hence can be easily located and extracted), XLM macros do not exist as a separate, well-defined entity. Rather, each XLM macro statement is a formula within a cell. Extracting a whole XLM macro can become a cumbersome task, requiring a cell-by-cell inspection of the whole document.
In addition, while formulas are typically executed downwards starting from the top, with XLM the macro content can be quite spread out, thanks to control flow statements like RUN, CALL, or GOTO, which allow the switching of execution flow from one column to another. This feature, together with obfuscation, has been abused by attackers to craft documents that could evade static analysis.
Multiple malicious groups have been named which are using XLM macros as an attack surface for their activities including Trickbot, Zloader, and Ursnif.
Runtime inspection of XLM in Microsoft is now available in AMSI, which means that it can be performed by any antivirus solution that is registered as an AMSI provider for a machine. Under default configurations, files that are from trusted locations or are trusted documents will not be scanned at runtime. The same also applies for files that are opened when the security settings are configured to enable all macros. The feature is enabled by default on the February Current Channel and Monthly Enterprise Channel for Microsoft 365 subscription users.