Microsoft is working on adding additional XLL protection for Microsoft 365 customers by including automated blocking of all such files downloaded from the Internet.
This will help combat the increase in malware campaigns abusing this infection vector in an increasing way over the past few years.
“In order to combat the increasing number of malware attacks in recent months, we are implementing measures that will block XLL add-ins from the Internet,” Redmond said. said.
Microsoft says the new feature will reach general availability in multi-tenants worldwide in March for desktop users in Current, Enterprise Monthly, and Semi-Annual Enterprise Channels.
The attackers use XLL Supplements (Excel DLL) in phishing campaigns to push various malicious payloads in the form of download links or email attachments camouflaged as materials from trusted entities such as business partners or as false advertising claims, holiday gift guides, and website promotions.
Once the target double-clicks an unsigned XLL file to open it, they are warned of “potential security content”, that “add-ins may contain viruses or other security risks”, and prompted to activate the add-in for the current session.
If the add-in is enabled (and many people ignore Office alerts without taking a second look), it will also deploy a payload of malware to the victim’s device in the background.
Since XLL files are executables and attackers can use them for various malicious tasks, you should only open one if you are 100% sure that it is from a trusted source.
Also, these files are usually not sent as email attachments, but rather installed by a Windows administrator. Therefore, if you receive an email or other message containing such files, delete the message and report it as spam.
As Cisco Talos stated in a January report, XLLs are now used by both financially motivated attackers and state-backed threat groups (APT10, END7, Not, TA410) as an infection vector to deliver first-stage payloads to their targets’ devices.
“Even though XLL add-ins have been around for a while, we were unable to detect their use by malicious actors until mid-2017, when some APT groups started using them to implement a backdoor fully functional,” said Cisco Talos.
“We also identified that their use has increased significantly over the past two years as more malware families have adopted XLLs as an infection vector.”
A year ago, HP’s threat analyst team reported see an “almost six-fold increase in attackers using Excel add-ins (.XLL)” as part of its Threat Insights Q4 2021 report.
It’s part of a larger effort to prevent hackers from using malicious Office documents to distribute and install malware on their targets’ computers.
As of July 2022, Microsoft has stated Office VBA macros would be automatically blocked in downloaded Office documents, which makes it more difficult to activate in documents downloaded from the Internet in several Office applications (Access, Excel, PowerPoint, Visio and Word).
In March 2021, the company added XLM macro protection in M365 by extending the runtime defense provided by Office 365’s integration with the Anti-Malware Scanning Interface (AMSI) to include Excel 4.0 Macro Scanning (XLM).
Redmond began disabling Excel 4.0 (XLM) macros by default when opened in Microsoft 365 tenants in January 2021.
years before, in 2018Microsoft has also extended AMSI support to Office 365 applications to defend customers against attacks using VBA macros.