The move is the result of an increase in XLM-based malware. Interestingly, XLM is Excel’s legacy macro language that was replaced with Visual Basic for Application (VBA) in the early 1990s.
“This integration, an example of the many security features released for Microsoft 365 Apps on a regular basis, reflects our commitment to continuously increase protection for Microsoft 365 customers against the latest threats,” share three members of different security teams in a joint post.
- Check out our list of the best spreadsheet software available
- We've built a list of the best office software on the market
- Here's our list of the best productivity tools around
Victim of its own success
Microsoft is in a way somewhat a victim of its own success here, as according to the post, the release of AMSI in 2018 stripped macro-malware of its destructive powers.
As AMSI mastered the art of blocking malicious macro scripts written in VBA, threat actors behind wide-spread trojans and malware including Trickbot, Zloader, and Ursnif, were forced to switch to the abandoned, but still supported, and quite powerful XLM.
“Cybercriminals know this, and they have been abusing XLM macros, increasingly more frequently, to call Win32 APIs and run shell commands,” the developers write. With its new capabilities, AMSI has now also nullified XLM macro-based attacks.
The developers point out that AMSI data is leveraged by all Microsoft Defender for Endpoint products including Microsoft Defender Antivirus, which is the built-in antivirus solution on Windows 10. When it detects a malicious XLM macro, it’ll prevent its execution and even terminate Excel to block the attack completely.
“Because AMSI is an open interface, other antivirus solutions can leverage the same visibility to improve protections against threats,” the developers conclude inviting other security vendors to leverage AMSI in their antivirus solutions.
- Here's our list of the best accounting software right now