Microsoft doubles down on protecting users from Excel macro malware
The company is locking down one of the older avenues for attackers to exploit users computers and integrating it with its Windows Defender Antimalware Scan Interface.
Microsoft Office is arguably the most widely used Office suite in the world, and as a result, targeted by malware creators and hackers to a great extent. Microsoft regularly issues updates for its office suite, through Windows Update and the company has now added a new improvement that will further protect Excel users.
Excel macros are one of the most common choices for miscreants looking to compromise computer systems and Microsoft has now announced that they are expanding the integration of its Antimalware Scan Interface (AMSI) and Office365 to scan Excel 4.0 macros at ‘runtime’. The company explained the changes in a blog post on Wednesday.
While this is not the first attempt by Microsoft to lock down the access through macros - the company had previously blocked macro scripts written in Visual Basic for Applications (VBA). Unfortunately, as hackers and miscreants like those behind Trickbot, Zloader, and Ursnif, were suddenly locked out of the regular avenue of exploiting the system, they simply reverted to using Excel 4.0 macros that were much older and easier to exploit.
“Like VBA and many other scripting languages abused by malware, XLM code can be obfuscated relatively easily to conceal the real intent of the macro. For example, attackers can hide URLs or file names of executable files from static inspection through simple strings manipulations,” Microsoft explains in a post explaining the updates.
With the new AMSI integration, Offce365 can now tie into your computer’s antimalware system to verify if the script in that excel file you were just emailed is safe to open. If the antivirus detects a malicious XLM macro, the macro won't execute and Excel is terminated, thus blocking the attack.
“Microsoft Defender Antivirus, the built-in antivirus solution on Windows 10, has been leveraging AMSI to uncover a wide range of threats, from common malware to sophisticated attacks,” the company said, adding that since AMSI is an open interface, it was also urging other antivirus manufacturers to ‘leverage the same visibility’ to improve protections against threats.