Microsoft has announced the addition of Excel 4.0 XLM macro detection to its Antimalware Scan Interface (AMSI). As AMSI was previously only focused on Visual Basic for Applications (VBA), cybercriminals responded by shifting to using mainly Excel 4.0 XLM macros to deliver malware through Excel spreadsheets. Excel 4.0 XML macros were introduced in 1992 and had not been widely used for many years, but were still supported for legacy spreadsheets. This shift allowed many malicious Excel files to bypass AMSI and run with very few detections by anti-virus products. This update to AMSI should address and put a stop to that prolific problem.
As these malicous spreadsheets are typically distributed over email, Binary Defense recommends taking great care when opening XLS files contained in emails as attachments or links to download. Threat actors often use the text from real email reply chains stolen from other victims to give their message a sense of legitimacy. Some indicators that an email might be a hijacked email thread are:
• Vague, but urgent email subjects
o FW: URGENT
o RE: OPEN NOW
• Original chain had a lot of recipients, for example a ticket distribution list;
• Email contents might seem out of place, e.g., an invoice when no transaction had occurred.
Additionally, Binary Defense recommends employing a 24/7 SOC solution, such as Binary Defense’s own Security Operations Task Force to better detect if/when malware arrives on an employee workstation or a server.