British security expert Kevin Beaumont retweeted a screenshot from the Microsoft website, originally posted by Omri Segev Moyal, adding, "Oh my god. Will take a while to reach enterprises and needs Office 365 client but eventually this will reach lots of people and really help defenders."
Moyal, co-founder of the boutique security firm Profero, had his own take on the announcement, saying, "I thought the Messiah would come faster than this. Microsoft to disable macro by default in Excel 4.0."
I thought the Messiah would come faster than this. Microsoft to disable macro by default in Excel 4.0 pic.twitter.com/BOvBrxtCI6— Omri Segev Moyal (@GelosSnake) October 7, 2021
Beaumont, who used to work as a threat intelligence analyst at Microsoft until a few months ago, said in another tweet that he had asked for this to be done while he was employed there.
"[The] reality is Excel 4 came out in 1992 and legit Excel 4.0 macros are almost non-existent in business."
For the record I pleaded with people for this while at MS, and the two main counter arguments were ‘we just added AMSI support’ and ‘E5 revenue via Safe Docs’.— Kevin Beaumont (@GossiTheDog) October 7, 2021
Reality is Excel 4 came out in 1992 and legit Excel 4.0 macros are almost non-existent in business.
Threat intelligence firm Zvelo says in one of its blog posts: "Weaponising Excel 4.0 Macros is an effortless and reliable method attackers use to get a foothold into a target network as this technique simply represents an abuse of a legitimate Excel feature, and does not rely on any vulnerability or exploit.
"XLM macros are very straightforward and easy to create, thus easily modified to bypass signature-based detection.
I don’t think that this includes VBA macros but only the old XLM macros, or does it?— Florian Roth ⚡️ (@cyb3rops) October 7, 2021
I‘ll have to check that tomorrow.
"Macros are also robust and provide various functions that can be leveraged to evade analysis, such as obfuscating the final payload, modifying the control flow, or detecting automated sandbox analysis through specific host environmental checks."
Beaumont added: "I hope Microsoft continues to serve the majority and not the top tier E5 customers. End security poverty via Microsoft’s own products."
Wait wait, did the world just end? did hell freeze over? lol But seriously kudos to MS for doing the right thing and lets give malware a 1, 2 punch by disabling VBA macros by default too!— Joseph Roosen (@JRoosen) October 7, 2021
Contacted for comment, Satnam Narang, staff research engineer at security firm Tenable, said: "It's a step in the right direction for Microsoft to announce that they will be disabling Excel 4.0 Macros (XLM) by default, considering it was introduced nearly 30 years ago.
"It's a welcome change, as XLM Macros are still being leveraged by threat actors today.
"Malicious documents are valuable tools for threat actors in their campaigns and while this won't thwart the activity in its entirety as VBA Macros still pose a threat, this change will make life just a little bit harder for those threat actors."