--- title: "Threat Actors are Leveraging Excel Files to Execute Phishing Campaigns, Here’s Everything You Need to Know! | Phish Protection" description: "Threat Actors are Leveraging Excel Files to Execute Phishing Campaigns, Here’s Everything You Need to Know!: During the past year, users have come." image: "https://phishprotection.com/og/blog/threat-actors-are-leveraging-excel-files-to-execute-phishing-campaigns.png" canonical: "https://phishprotection.com/blog/threat-actors-are-leveraging-excel-files-to-execute-phishing-campaigns/" --- Quick Answer In 1992, Microsoft programmers introduced a feature in Excel 4.0, known as\[ XML 4.0 macros\](https://resources.infosecinstitute.com/topic/excel-4-0-malicious-macro-exploits-what-you-need-to-know/). It was a useful \_record-and-playback feature that allowed the users to automate Excel 4.0 functions as this piece of programming code automates the repetitive tasks in Excel\_. However, now, adversaries have converted this function into a backdoor to deliver malicious software to users' computers. The threat actors make the XML code obscure to conceal the malicious macros. Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fthreat-actors-are-leveraging-excel-files-to-execute-phishing-campaigns%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Threat%20Actors%20are%20Leveraging%20Excel%20Files%20to%20Execute%20Phishing%20Campaigns%2C%20Here%26%238217%3Bs%20Everything%20You%20Need%20to%20Know!&url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fthreat-actors-are-leveraging-excel-files-to-execute-phishing-campaigns%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fphishprotection.com%2Fblog%2Fthreat-actors-are-leveraging-excel-files-to-execute-phishing-campaigns%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fthreat-actors-are-leveraging-excel-files-to-execute-phishing-campaigns%2F&title=Threat%20Actors%20are%20Leveraging%20Excel%20Files%20to%20Execute%20Phishing%20Campaigns%2C%20Here%26%238217%3Bs%20Everything%20You%20Need%20to%20Know! "Share on Reddit") [ ](mailto:?subject=Threat%20Actors%20are%20Leveraging%20Excel%20Files%20to%20Execute%20Phishing%20Campaigns%2C%20Here%26%238217%3Bs%20Everything%20You%20Need%20to%20Know!&body=Check out this article: https%3A%2F%2Fphishprotection.com%2Fblog%2Fthreat-actors-are-leveraging-excel-files-to-execute-phishing-campaigns%2F "Share via Email") ![Phish Protection blog post image](https://media.mailhop.org/phishprotection/images/2021/10/phishing-attack-prevention-8426.jpg) _During the past year, users have come across several attacks that leveraged the technique of Excel 4.0 Macros_, also known as XLM macros, through [phishing emails](/blog/sophisticated-new-tactic-makes-phishing-emails-harder-to-detect/) to infect the users’ systems with malware. It is essential to get acquainted with this[ excel file weaponizing technique](https://www.zdnet.com/article/this-particularly-dangerous-phishing-attack-features-a-weaponized-excel-file/) to keep your critical data from falling into the hands of cyber adversaries. ### What are Excel 4.0 Macros? In 1992, Microsoft programmers introduced a feature in Excel 4.0, known as[ XML 4.0 macros](https://resources.infosecinstitute.com/topic/excel-4-0-malicious-macro-exploits-what-you-need-to-know/). It was a useful _record-and-playback feature that allowed the users to automate Excel 4.0 functions as this piece of programming code automates the repetitive tasks in Excel_. However, now, adversaries have converted this function into a backdoor to deliver malicious software to users’ computers. The threat actors make the XML code obscure to conceal the malicious macros. The aspect that makes every organization concerned about this latest attack is that Excel 4.0 Macros is one of the core capabilities of Excel used across several business processes regularly. The malware authors weaponize the Excel file using the macro code to sneak the malicious payload and deliver it as an attachment in a **phishing email**. ### How The Recent XLM Macros Phishing Campaigns Worked _The adversaries took advantage of the fact that malicious macros can easily be inserted and hidden in an Excel file via various obfuscation strategies_. This is how the file surpasses the **security checks** and filters without detection. Adversaries set the sheet to “Very Hidden” to make the attack more sophisticated in some episodes. In this mode, the file cannot be accessed readily using the Excel UI. Instead, an external tool is required to reveal the content of the file. _A simple web query is enough to trigger the hidden macros in the Excel sheet_. Besides, the malware can download on the execution of the formula too. The cyber attackers leveraged this Excel loophole and paired it with the fear-based [phishing campaigns](/blog/threat-actors-advantage-fintech-platforms-launch-phishing-campaigns/) and other **social engineering ploys**. This allowed the attackers to trick the users, gain remote access, and run commands over users’ compromised devices. ### Recent XLM Macros Attacks The first attack using XLM macros was reported in mid-February 2020\. It involved the [social engineering tactic](/resources/protection-against-social-engineering-phishing-and-ransomware/) of luring the user into opening the Excel file attached to an email. The sheet consisted of a malicious command hidden in a formula. The email asked the target to open the file and click on the “Enable Editing” button, enabling the malicious macros. ![Phishing attack prevention](https://media.mailhop.org/phishprotection/images/2021/10/phishing-attack-prevention-8426.jpg) Since February 2020, a large-scale attack spree has been noticed all over the world. Malicious actors abused the macros’ function so much that in May 2020, _Microsoft published a statement warning everyone about the COVID-19 based [phishing email examples](/content/office-365-phishing-protection/office-365-phishing-email-example/)_. The adversaries impersonated the Johns Hopkins Center and ran **phishing campaigns** with the subject “WHO COVID-19 Situation Report.” In some attacks, the attached Excel file was accompanied by hidden macros that instructed users to download and run NetSupport Manager RAT. This step would enable the attackers to gain remote access to the system. The latest XML macros phishing campaign that made news headlines is MirrorBlast. The phishing emails contain information that pretends to be from a genuine organization instructing about COVID-19 related changes in office and working arrangements. **Social engineering techniques** are used to make the users enable macros as they remain disabled by default. ### Protection Against Excel 4.0 Macros Exploitation There has been increasing use of Excel 4.0 documents as an initial vector to spread malware like[ Zloader,](https://thehackernews.com/2021/07/hackers-use-new-trick-to-disable-macro.html) Qakbot, Ursnif, and Trickbot. Here are the measures that users can take to minimize the risk of such attacks. - **_Integration Of AMSI:_** To avoid any XLM macros-based attacks, Microsoft has enabled the[ integration of Antimalware Scan Interface (AMSI)](https://www.microsoft.com/security/blog/2021/03/03/xlm-amsi-new-runtime-defense-against-excel-4-0-macro-malware/) with Office 365\. This feature _allows organizations to check the runtime behavior of Excel 4.0 macros and malicious scripts to detect threats hidden behind obfuscation and other tricks_. AMSI is also an open interface that the user can pair with any antivirus solution to provide deep and dynamic visibility to detect threats and offer the best [phishing protection](/). - **_Migrating To VBA:_** Due to the attackers’ continuous exploitation of Excel 4.0 macros, Microsoft encourages all organizations and users to migrate to Visual Basic For Applications (VBA), the successor to XML macros. _The combination of VBA with AMSI helps in the thorough scrutinization of macros in VBA_. - **_Being Beware of Unsolicited Emails:_** As scammers use **social engineering scams** to get into the user’s device, they need to pay attention to each email before opening any link or file attached. One of the best [anti-phishing solutions](/content/anti-phishing/) is to follow a zero-trust policy and verify the sender even when an email appears to originate from a recognized source. - **_Employee Education And Training:_** _No cybersecurity measure will help if the employees are not prepared and trained to detect and report suspicious emails_. They should be wary of any requests or communication relating to financial or other sensitive information. Organizations must conduct [employee awareness programs](/products/phishing-awareness-training/) from time to time to educate the personnel about the latest cyber threats and ways to deal with them. ### Final Words ![Phishing email prevention](https://media.mailhop.org/phishprotection/images/2021/10/phishing-email-prevention-6795.jpg) _Excel 4.0 macros are turning out to be a destructive tool that allows malicious actors to get into the users’ system_ and get their malicious code to run on a target. They even explore more possibilities to use the Excel feature to their advantage. Even today, the macros function of Excel worksheets is widely used for legitimate business purposes. Therefore, instantly discontinuing or disabling it is not a viable option in most cases. Managing this constantly evolving attack requires a more comprehensive approach of continuously updating tools, signatures, and security defenses and upgrading the whole investigative methodologies and [anti-phishing solutions](/). ## Topics [ Phishing ](/tags/phishing/) ![Brad Slavin](https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg) [ Brad Slavin ](/authors/brad-slavin/) General Manager Founder and General Manager of DuoCircle. Product strategy and commercial lead across DuoCircle's 2,000+ customer base. [LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) ## Protect your inbox from phishing attacks Real-time email security with 60-day free trial. No credit card required. [Start Free Trial](https://portal.duocircle.com/cart.php?a=add&pid=101&brand=phishprotection) [View Pricing](/pricing/) ## Related Articles [ Foundational 5m 0ktapus, Okta Breach Helps Attackers Launch Sophisticated Supply Chain Attacks Sep 5, 2022 ](/blog/0ktapus-okta-breach-helps-attackers-launch-sophisticated-supply-chain-attacks/)[ Foundational 4m 13 Spear Phishing Attacks Examples To Justify Investment For Phishing Prevention Solutions In Your Organization Aug 1, 2019 ](/blog/13-spear-phishing-attacks-examples-to-justify-investment-for-phishing-prevention-solutions-in-your-organization/)[ Foundational 4m All 14 centers of Kettering Health were affected by a massive ransomware attack, Major outage in the Ohio medical center May 23, 2025 ](/blog/14-centers-of-kettering-health-were-affected-by-massive-ransomware-attack-in-ohio-medical-center/)[ Foundational 4m 2021 Phishing Trends You Need To Be Wary Of Aug 2, 2021 ](/blog/2021-phishing-trends-to-be-wary-of/) ```json {"@context":"https://schema.org","@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"Phish Protection","url":"https://phishprotection.com","description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json {"@context":"https://schema.org","@type":"BlogPosting","headline":"Threat Actors are Leveraging Excel Files to Execute Phishing Campaigns, Here’s Everything You Need to Know!","description":"Threat Actors are Leveraging Excel Files to Execute Phishing Campaigns, Here’s Everything You Need to Know!: During the past year, users have come.","url":"https://phishprotection.com/blog/threat-actors-are-leveraging-excel-files-to-execute-phishing-campaigns/","datePublished":"2021-10-26T10:55:12.000Z","dateModified":"2026-04-17T15:43:10.000Z","dateCreated":"2021-10-26T10:55:12.000Z","author":{"@type":"Person","@id":"https://phishprotection.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://phishprotection.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://phishprotection.com/blog/threat-actors-are-leveraging-excel-files-to-execute-phishing-campaigns/"},"articleSection":"foundational","keywords":"Phishing","wordCount":964,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/phishprotection/images/2021/10/phishing-attack-prevention-8426.jpg","caption":"Phish Protection blog post image","width":1200,"height":630},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}} ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://phishprotection.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://phishprotection.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://phishprotection.com/foundational/"},{"@type":"ListItem","position":4,"name":"Threat Actors are Leveraging Excel Files to Execute Phishing Campaigns, Here’s Everything You Need to Know!","item":"https://phishprotection.com/blog/threat-actors-are-leveraging-excel-files-to-execute-phishing-campaigns/"}]} ```