During the past year, users have come across several attacks that leveraged the technique of Excel 4.0 Macros, also known as XLM macros, through phishing emails to infect the users’ systems with malware. It is essential to get acquainted with this excel file weaponizing technique to keep your critical data from falling into the hands of cyber adversaries.

What are Excel 4.0 Macros?

In 1992, Microsoft programmers introduced a feature in Excel 4.0, known as XML 4.0 macros. It was a useful record-and-playback feature that allowed the users to automate Excel 4.0 functions as this piece of programming code automates the repetitive tasks in Excel. However, now, adversaries have converted this function into a backdoor to deliver malicious software to users’ computers. The threat actors make the XML code obscure to conceal the malicious macros.

The aspect that makes every organization concerned about this latest attack is that Excel 4.0 Macros is one of the core capabilities of Excel used across several business processes regularly. The malware authors weaponize the Excel file using the macro code to sneak the malicious payload and deliver it as an attachment in a phishing email.


How The Recent XLM Macros Phishing Campaigns Worked

The adversaries took advantage of the fact that malicious macros can easily be inserted and hidden in an Excel file via various obfuscation strategies. This is how the file surpasses the security checks and filters without detection. Adversaries set the sheet to “Very Hidden” to make the attack more sophisticated in some episodes. In this mode, the file cannot be accessed readily using the Excel UI. Instead, an external tool is required to reveal the content of the file.

A simple web query is enough to trigger the hidden macros in the Excel sheet. Besides, the malware can download on the execution of the formula too. The cyber attackers leveraged this Excel loophole and paired it with the fear-based phishing campaigns and other social engineering ploys. This allowed the attackers to trick the users, gain remote access, and run commands over users’ compromised devices.


Recent XLM Macros Attacks

The first attack using XLM macros was reported in mid-February 2020. It involved the social engineering tactic of luring the user into opening the Excel file attached to an email. The sheet consisted of a malicious command hidden in a formula. The email asked the target to open the file and click on the “Enable Editing” button, enabling the malicious macros.

Since February 2020, a large-scale attack spree has been noticed all over the world. Malicious actors abused the macros’ function so much that in May 2020, Microsoft published a statement warning everyone about the COVID-19 based phishing email examples. The adversaries impersonated the Johns Hopkins Center and ran phishing campaigns with the subject “WHO COVID-19 Situation Report.” In some attacks, the attached Excel file was accompanied by hidden macros that instructed users to download and run NetSupport Manager RAT. This step would enable the attackers to gain remote access to the system.

The latest XML macros phishing campaign that made news headlines is MirrorBlast. The phishing emails contain information that pretends to be from a genuine organization instructing about COVID-19 related changes in office and working arrangements. Social engineering techniques are used to make the users enable macros as they remain disabled by default.


Protection Against Excel 4.0 Macros Exploitation

There has been increasing use of Excel 4.0 documents as an initial vector to spread malware like Zloader, Qakbot, Ursnif, and Trickbot. Here are the measures that users can take to minimize the risk of such attacks.

  • Integration Of AMSI: To avoid any XLM macros-based attacks, Microsoft has enabled the integration of Antimalware Scan Interface (AMSI) with Office 365. This feature allows organizations to check the runtime behavior of Excel 4.0 macros and malicious scripts to detect threats hidden behind obfuscation and other tricks. AMSI is also an open interface that the user can pair with any antivirus solution to provide deep and dynamic visibility to detect threats and offer the best phishing protection.
  • Migrating To VBA: Due to the attackers’ continuous exploitation of Excel 4.0 macros, Microsoft encourages all organizations and users to migrate to Visual Basic For Applications (VBA), the successor to XML macros. The combination of VBA with AMSI helps in the thorough scrutinization of macros in VBA.
  • Being Beware of Unsolicited Emails: As scammers use social engineering scams to get into the user’s device, they need to pay attention to each email before opening any link or file attached. One of the best anti-phishing solutions is to follow a zero-trust policy and verify the sender even when an email appears to originate from a recognized source.
  • Employee Education And Training: No cybersecurity measure will help if the employees are not prepared and trained to detect and report suspicious emails. They should be wary of any requests or communication relating to financial or other sensitive information. Organizations must conduct employee awareness programs from time to time to educate the personnel about the latest cyber threats and ways to deal with them.


Final Words

Excel 4.0 macros are turning out to be a destructive tool that allows malicious actors to get into the users’ system and get their malicious code to run on a target. They even explore more possibilities to use the Excel feature to their advantage. Even today, the macros function of Excel worksheets is widely used for legitimate business purposes. Therefore, instantly discontinuing or disabling it is not a viable option in most cases. Managing this constantly evolving attack requires a more comprehensive approach of continuously updating tools, signatures, and security defenses and upgrading the whole investigative methodologies and anti-phishing solutions.