The picture is a bit more complicated.
Even Microsoft Office 2007 used AES128 but it uses 50,000 spins instead of the more recent 100,000. Excel 2007 saves to XLS by default. This cannot be broken unless it’s a very short and weak passwords.
Microsoft significantly improved security in Office 2013 by introducing SHA512 which made brute forcing and rainbow table searches much slower.
The most recent versions Office 2013 and Office 2016 provide extremely high levels of security. Commercial cracking software only works for passwords below 8 characters from 2007 and onwards unless you’re prepared to wait for a very long time.
None of this matters now because the original user has realised it’s an Excel password and not his AxCrypt password.