Security News > 2023 > January > Microsoft closes another door to attackers by blocking Excel XLL files from the internet

Microsoft in March will start blocking Excel XLL add-ins from the internet to shut down an increasingly popular attack vector for miscreants.

Security researchers have said that after Microsoft began blocking Visual Basic for Application macros by default in Word, Excel, and PowerPoint in July 2022 to cut off a popular attack avenue, threat groups began using other options, such as LNK files and ISO and RAR attachments.

In December, Cisco's Talos threat intelligence group detailed another tool that cybercriminals were targeting: Excel XLL files.

The Talos researchers not only broke down how the crooks use the XLL files but detailed a sharp increase in their use since Microsoft shut the VBA macros door, noting that the first malicious samples were submitted to VirusTotal in 2017.

XLL files are a type of DLL file that are only opened in Excel and enable third-party applications to add more functionality to spreadsheets.

In Excel, if a user wants to open a file with a.XLL extension in Windows Explorer, the system will automatically try to launch Excel and open the file, triggering Excel to display a warning about possible dangerous code, similar to that shown when an Office document containing VBA macro code is opened.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/01/25/microsoft_excel_xll_closed/