Security News > 2023 > January > Microsoft plans to kill malware delivery via Excel XLL add-ins
Microsoft is working on adding XLL add-in protection for Microsoft 365 customers by including automated blocking of all such files downloaded from the Internet.
"In order to combat the increasing number of malware attacks in recent months, we are implementing measures that will block XLL add-ins coming from the internet," Redmond says.
Attackers are using XLL add-ins in phishing campaigns to push various malicious payloads in the form of download links or attachments camouflaged as documents from trusted entities such as business partners or as fake advertising requests, holiday gift guides, and website promotions.
Once the target double clicks on an unsigned XLL file to open it, they will be warned of "a potential security content," that "Add-ins might contain viruses or other security hazards," and prompted to enable the add-in for the current session.
"Even if XLL add-ins existed for some time, we were not able to detect their usage by malicious actors until mid-2017 when some APT groups started using them to implement a fully functional backdoor," Cisco Talos said.
Redmond started disabling Excel 4.0 macros by default when opened in Microsoft 365 tenants in January 2021.
- Microsoft warns of new Minecraft DDoS malware infecting Windows, Linux (source)
- Microsoft finds macOS bug that lets malware bypass security checks (source)
- Microsoft: Kubernetes clusters hacked in malware campaign via PostgreSQL (source)
- Hackers now use Microsoft OneNote attachments to spread malware (source)
- Microsoft closes another door to attackers by blocking Excel XLL files from the internet (source)