Microsoft is expanding the Antimalware Scan Interface (AMSI) in Office 365. The antivirus service AMSI should now be able to detect malicious XML scripts by checking the runtime of Excel 4.0 macros. Attackers use such malware more and more frequently, and the risks of infected office macros were recently discussed in the context of Emotet.
Even though Microsoft now recommends the use of Visual Basic for Applications (VBA), Excel continues to support XML macros due to its widespread use. Attackers are aware of this and use the now technically outdated language to call WIN32 APIs and execute shell commands. Malicious code can be concealed comparatively easily in XML. More information on the new scanning approach can be found in Microsoft’s blog post.
AMSI has been scanning VBA macros since 2018. Since then, criminals have increasingly used XML macros. Microsoft is now trying to close this gap as well. The antivirus system should now be able to detect malicious XML macros, stop their execution and shut down Excel entirely in order to ward off a possible attack. The runtime inspection of the XML macros is now part of Excel, Microsoft also requests the programmers of other antivirus products to use the open AMSI.