Microsoft intends to eliminate malware distribution via Excel XLL add-ins

Microsoft is developing XLL add-in protection for Microsoft 365 customers, which will include automated blocking of all such files downloaded from the Internet.

This will aid in combating the recent rise in malware campaigns that have abused this infection vector to an increasing extent.

“We are implementing measures that will block XLL add-ins coming from the internet to combat the increasing number of malware attacks in recent months,” Redmond says.

According to Microsoft, the new feature will be available in multi-tenant mode for desktop users in the Current, Monthly Enterprise, and Semi-Annual Enterprise channels in March.

Excel XLL files are dynamic-link libraries (DLLs) that provide additional features to Microsoft Excel, such as custom functions, dialogue boxes, and toolbars.

Attackers are using XLL add-ins in phishing campaigns to deliver malicious payloads disguised as documents from trusted entities such as business partners or as fake advertising requests, holiday gift guides, and website promotions.

When the target double-clicks on an unsigned XLL file to open it, they are warned of “potential security content,” that “add-ins may contain viruses or other security hazards,” and are prompted to enable the add-in for the current session.

If the add-in is activated (and many people dismiss Office alerts without looking), it will also instal a malware payload on the victim’s device in the background.

Because XLL files are executables and can be used by attackers to run malicious code on your computer, you should only open one if you are certain it came from a trusted source.

Furthermore, such files are rarely sent as email attachments and are instead installed by a Windows administrator. As a result, if you receive an email or other message containing such files, delete it and report it as spam.

According to a January report from Cisco Talos, XLLs are now used as an infection vector by both financially motivated attackers and state-backed threat groups (APT10, FIN7, Donot, TA410) to deliver first-stage payloads onto their targets’ devices.

“Even though XLL add-ins had been around for a while, we weren’t able to detect their use by malicious actors until mid-2017, when some APT groups began using them to implement a fully functional backdoor,” according to Cisco Talos.

“We also discovered that their use has increased significantly over the last two years as more commodity malware families have adopted XLLs as their infection vector.”

As part of its Threat Insights Report Q4 2021, HP’s threat analyst team reported a “near-sixfold surge in attackers using Excel add-ins (.XLL)” a year ago.

This is part of a larger effort to prevent threat actors from using malicious Office documents to deliver and instal malware on the computers of their targets.

Microsoft announced in July 2022 that Office VBA macros would be auto-blocked in downloaded Office documents, making it more difficult to enable in docs downloaded from the Internet in several Office apps (Access, Excel, PowerPoint, Visio, and Word).

In March 2021, the company expanded the runtime defence provided by Office 365’s integration with Antimalware Scan Interface (AMSI) to include Excel 4.0 (XLM) macro scanning in M365.

In January 2021, Redmond began disabling Excel 4.0 (XLM) macros by default when opened in Microsoft 365 tenants.

Years before, in 2018, Microsoft added AMSI support to Office 365 apps to protect customers from VBA macro attacks.


Disclaimer: If you need to edit or update this news from compsmag then kindly contact us Learn more
Compsmag - Tech News & Business