Microsoft restricts XLM macros in Excel to prevent malware attacks


Microsoft wants organizations to ditch the Excel 4.0 macro (XLM) when automating spreadsheets, a feature that has been part of the Office application since the 1990s. The company would prefer customers use Visual Basic for Applications (VBA), which is much more secure. Now, Microsoft says it will actively limit the use of default XLM macros in Excel.

According to Microsoft, Excel 4.0 XLM macros are open to attack. A malicious actor could target macros to spread malware into a system. This could be achievable via a relatively simple surface-level attack.

Macro malware is one of the oldest methods of cybercrime, at least among those still used today. Threat actors have been turning to macros since the 90s and still getting some success. This is because it is a simple technique to push malware onto a system.


In March 2021, Microsoft updated the anti-malware scanning interface in Office 365 to scan Excel files that are in the old 4.0 language for malicious macros. This clearly wasn’t enough to allay the company’s concerns, so Microsoft is simply going to restrict the use of XLM macros.

Changing the configuration

In Excel Trust Center, the application now indicates that macros are disabled. It should be noted that users can choose to enable them here. Excel users can instead manage default behaviors in cells using cloud policies, group policies, or ADMX policies.

In a blog post to confirm the change, Microsoft says the new configuration will be pushed to the following Excel users:

  • “Current Channel builds 2110 or higher (first released October)
  • Enterprise Channel Monthly Releases 2110 or higher (first released in December)
  • Semi-Annual Enterprise Channel (Preview) builds 2201 or more (we’re building it in January 2022, but it first ships in March 2022)
  • Semi-Annual Enterprise Channel builds 2201 or more (will ship July 2022) »

Tip of the day: Did you know that as a Windows 10 administrator, you can restrict user accounts by disabling Settings or Control Panel? Our tutorial shows how to disable and enable them through Group Policy and Registry.


Comments are closed.