Skip to main content

Microsoft Expanding Fight Against Macros Based Malware

By March 20, 2021May 11th, 2022Cybersecurity

Macros have been a simple, effective means of spreading malware since the 1990’s, and some hackers still rely on them heavily to ensnare and infect unsuspecting users.

It’s a long standing issue that many companies have attempted to address over the years. Now, it seems that it’s Microsoft’s turn at bat again.

Recently, the Redmond Giant announced a new integration between its AMSI (Antimalware Scan Interface) and Office 365, aimed squarely at delivering a knockout blow to macro-based malware.

Earlier attempts to put a stop to macro abuse focused on Visual Basic Scripts and removing macro-based vulnerabilities from them.

That was effective as far as it went, but it had the unforeseen effect of pushing hackers away from using VBS and toward XLM. Those are of an older macro language that first shipped with Microsoft Excel back in 1992 and is still supported to this day. The new integration paradigm sees AMSI scanning Excel 4.0 XLM macros at runtime, which should (emphasis on should) make it virtually impossible for hackers to exploit them.

As a representative from Microsoft Security Teams explains:

“While more rudimentary than VBA, XLM is powerful enough to provide interoperability with the operating system, and many organizations and users continue to use its functionality for legitimate purposes. Cyber criminals know this, and they have been abusing XLM macros, increasingly more frequently, to call Win32 APIs and run shell commands.

Naturally, threat actors like those behind Trickbot, Zloader, and Ursnif have looked elsewhere for features to abuse and operate under the radar of security solutions, and they found a suitable alternative in XLM.”

Time will tell how effective this new approach will be. Unfortunately, even if it is wildly successful, it will simply push hackers toward some other easy exploit. Even so, kudos to Microsoft for taking the fight to the hackers.

Chris Forte

Chris Forte, President and CEO of Olmec Systems, has been in the MSP workspace for the past 25 years. Chris earned his Master’s Degree from West Virginia University, graduating Magna Cum Laude. He was a past member of the Entrepreneurs’ Organization, a current member of the New Jersey Power Partners and Executive Association of New Jersey, where he has previously served on its board of directors. In his spare time, Chris enjoys traveling with his family. He also admits to being a struggling golfer and avid watcher of college football and basketball. He currently lives in Boonton Township, NJ with his wife, two daughters, son, and black lab Luna.