The effort aims to stop attackers from abusing various Office document formats as an infection vector. The company has announced that Excel will block untrusted XLL add-ins by default in Microsoft 365 tenants worldwide.
Excel XLL files are dynamic-link libraries (DLLs) that expand the functionality of Microsoft Excel with additional features like custom functions, dialog boxes, and toolbars. However, attackers have also used XLL add-ins in phishing campaigns to push malicious payloads disguised as download links or attachments from trusted entities, such as business partners.
Before this change, XLLs would allow attackers to infect victims that enabled the untrusted add-ins and opened them even though they were warned that the “add-ins might contain viruses or other security hazards.” Opening the add-ins would install the malware in the background without user interaction
Part of a bigger effort
This change is part of Microsoft’s broader effort to remove Office infection vectors used in attack campaigns. Microsoft began working to remove these vectors in 2018 when it extended support for AMSI to Office 365 apps to block attacks using VBA macros.
Since then, Microsoft has disabled Excel 4.0 (XLM) macros, added XLM macro protection, and announced that VBA Office macros are now also blocked by default.
In tenants where the XLL blocking will be enabled by default, an alert will be displayed when users try to enable content from untrusted locations. This alert will inform users of the potential risk and allow them to find more information about why they see the warning.
Hackers and state-sponsored threat groups get in on this. Cisco Talos security researchers have reported a significant increase in using XLLs as an infection vector over the past two years.
State-backed threat groups and financially motivated attackers such as APT10, FIN7, Donot, and TA410 have used XLLs to deploy first-stage payloads onto their targets’ systems. HP’s threat analyst team also saw a “near-sixfold surge in attackers using Excel add-ins (.XLL)” in January 2022 as part of their Q4 2021 threat recap.
This change was announced in January and will generally be available in multi-tenants worldwide by late March after rolling out to all desktop users.
Also read: Microsoft releases security updates for Intel CPU vulnerabilities