Microsoft says Excel spreadsheet software now blocks untrusted XLL add-ins by default in Microsoft 365 tenants around the world.

The company announcement that change in January with a new entry added to the Microsoft 365 roadmap when it entered an initial testing phase by rolling out to Insiders first.

The new feature will be generally available in multi-tenants worldwide by the end of March after rolling out to all desktop users in Current, Enterprise Monthly, and Semi-Annual Enterprise Channels.

“We are introducing a default change for Excel Windows desktop apps that run XLL add-ins: XLL add-ins from untrusted locations will now be blocked by default,” Microsoft said in a new message from the Microsoft 365 message center.

“We have already completed the Insiders Preview rollout. We will begin the rollout in early March and expect to complete it by the end of March.”

Going forward, in tenants where XLL blocking is enabled by default, an alert will be displayed when users attempt to enable content from untrusted locations, informing them of the potential risk and enabling them to find more content. information about why they see the warning.

This is part of a broader effort to combat the rise of malware campaigns abusing various Office document formats as a vector of infection over the past few years.

Microsoft started working to remove Office infection vectors used in attack campaigns back in 2018 when he extended AMSI support to Office 365 applications to block attacks using VBA macros.

Since then, Redmond started disabling Excel 4.0 macros (XLM), added XLM macro protectionand announced that Office VBA macros are now also blocked by default.

What are XLL supplements?

Excel XLL files are dynamic link libraries (DLLs) used to extend the functionality of Microsoft Excel with additional features such as custom functions, dialog boxes, and toolbars.

However, attackers also take advantage of XLL add-ons in phishing campaigns. They use them to push malicious payloads disguised in the form of download links or attachments from trusted entities such as business partners.

Before being blocked by default, XLLs allowed attackers to infect victims who enabled untrusted add-ins and opened them even if they were warned that the “add-ons may contain viruses or other security risks” .

After opening the add-ins, the malware installed in the background without requiring user interaction.

XLL files have been used by both state-sponsored threat groups and financially motivated attackers (APT10, END7, Not, TA410) to deploy first-stage payloads to the systems of their targets, according to Cisco Talos Security Researchers.

“Their use has increased dramatically over the past two years as more and more malware families have adopted XLLs as an infection vector,” Cisco Talos said.

HP’s threat analyst team has also reported seeing an “almost six-fold increase in the number of attackers using Excel add-ins (.XLL)” in January 2022 as part of their Q4 2021 threat roundup.