At long last, Microsoft is disabling Excel 4.0 macros by default

At long last, Microsoft is disabling Excel 4.0 macros by default

Sometimes good news in the security world comes unexpectedly. This is one of those times. After three decades of macro viruses, and three decades of trying to convince every single Excel user individually to disable macros, Microsoft is going disable Excel 4.0 macros for everyone. Better late than never, right?

Talk about a big sigh of relief.

Excel 4.0 macros, aka XLM macros, were first added to Excel in 1992. They allowed users to add commands into spreadsheet cells that were then executed to perform a task. Unfortunately, we soon learned that (like any code) macros could be made to perform malicious tasks. Office documents have been a favorite hiding place of malicious code ever since.

For backward compatibility reasons the feature was never removed, despite being superseded by Visual Basic for Applications (VBA) just one year after it was introduced.

I understand the argument in favor of keeping it back then, but why keep it enabled by default for so long after, when so few people use it? Microsoft could have made it so that those that needed Excel 4.0 macros had to turn the feature on, and the rest of us (the overwhelming majority of Excel users) could have been more secure without having to remember to turn it off.

Good news? What happened?

Microsoft announced plans to disable Excel 4.0 macros in an email sent to customers. It will be disabled for all Microsoft 365 users by the end of the year, but the exact schedule depends on which kind of customer you are:

  • Insiders-Slow: Complete in early November.
  • Current Channel: Complete by mid-November.
  • Monthly Enterprise Channel: Complete by mid-December.

Trust me, it’s not easy to make all security professionals happy at once. Most feel this should have been done long ago. For some the glass is half full, while others are asking “why has this glass been half empty for so long?”

Will you miss it?

It is very, very unlikely you will miss Excel 4.0 macros. XLM was the default macro language for Excel through Excel 4.0, but beginning with version 5.0, Excel recorded macros in VBA by default, although XLM recording was still allowed as an option. After version 5.0 that option was discontinued. All versions of Excel are capable of running XLM macros, though Microsoft discourages their use.

Now—almost 30 years after they were made obsolete—it’s fair to stay that the biggest users of Excel 4.0 macros are probably malicious threat actors.

Abuse cases

Attackers have always liked Office macros because they provide a simple and reliable method to spread malware using legitimate features, and without relying on any vulnerability or exploit. XLM macros have been used to drop many well known malware families, including ZLoader, TrickBot, BitRat, QBot, Dridex, FormBook and StrRat, among others.

And in just the last month, Malwarebytes Labs has seen XLM macros weaponized to deliver threat-actor-favorite Cobalt Strike, and a malware campaign using XLM macros to deliver a .NET payload under the cover an Excel spreadsheet full of stats about US airstrikes on the Taliban regime.

Disable manually

Should you feel the need to disable this feature right now, you can do so in the Trust Center. In July Microsoft added a new checkbox setting, “Enable Excel 4.0 macros when VBA macros are enabled”, which allows users to individually configure the behavior of XLM macros without impacting VBA macros.

Security over backward compatibility

Despite the shared joy about this security enhancing roll-out, it raises the question of when does security overrule backward compatibility? Microsoft must have better things to do than fix obsolete features from the past century. Wouldn’t it have been preferable if the step up to VBA in 1993 had been less steep, so we could all forget about 4.0 and move on to the latest version without having to look over our shoulder? Or perhaps Microsoft could have disabled this potentially dangerous feature decades ago and left it to those who actually wanted it to turn it back on?

If history has taught us anything, it’s that the incentive to enable something you need is a lot stronger than the incentive to disable something that might be potentially dangerous.

Stay safe, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.