Microsoft Fighting Against Macros Based Malware, especially since Macros have been a simple, effective means of spreading malware since the 1990s. Some hackers still rely on them heavily to ensnare and infect unsuspecting users.
It’s a long-standing issue that many companies have attempted to address over the years. Now, it seems that it’s Microsoft’s fighting against Macros again.
Recently, Microsoft announced a new integration between its AMSI (Antimalware Scan Interface) and Office 365, aimed squarely at delivering a knockout blow to hackers using macro-based malware.
Earlier attempts to stop macro abuse focused on Visual Basic Scripts and remove macro-based vulnerabilities from them.
That was effective as far as it went, but it had the unforeseen effect of pushing hackers away from using VBS and toward XLM. Those are of an older macro language that first shipped with Microsoft Excel back in 1992 and is still in existence. The new integration paradigm sees AMSI scanning Excel 4.0 XLM macros at runtime, which should (emphasis on should) make it virtually impossible for hackers to exploit them.
As a representative from Microsoft Security Teams explains:
“While more rudimentary than VBA, XLM is powerful enough to provide interoperability with the operating system, and many organizations and users continue to use its functionality for legitimate purposes. Cybercriminals and hackers know this, and they have been abusing XLM macros, increasingly more frequently, to call Win32 APIs and run shell commands.
Naturally, hackers like those behind Trickbot, Zloader, and Ursnif have looked elsewhere for features to abuse and operate under the radar of security solutions, and they found a suitable alternative in XLM.”
Time will tell how effective this new approach will be. Unfortunately, even if it is wildly successful, it will simply push hackers toward some other easy exploit. Even so, kudos to Microsoft for taking the fight against the hackers.