Microsoft says the Excel spreadsheet software is now blocking untrusted XLL add-ins by default in Microsoft 365 tenants worldwide. "We are introducing a default change for Excel Windows desktop apps that run XLL add-ins: XLL add-ins from untrusted locations will now be blocked by default," Microsoft said in a new Microsoft 365 message center post.
Microsoft in March will start blocking Excel XLL add-ins from the internet to shut down an increasingly popular attack vector for miscreants. Security researchers have said that after Microsoft began blocking Visual Basic for Application macros by default in Word, Excel, and PowerPoint in July 2022 to cut off a popular attack avenue, threat groups began using other options, such as LNK files and ISO and RAR attachments.
Microsoft is working on adding XLL add-in protection for Microsoft 365 customers by including automated blocking of all such files downloaded from the Internet. "In order to combat the increasing number of malware attacks in recent months, we are implementing measures that will block XLL add-ins coming from the internet," Redmond says.
Now according to Cisco Talos, advanced persistent threat actors and commodity malware families alike are increasingly using Excel add-in files as an initial intrusion vector. One such method turns out to be XLL files, which is described by Microsoft as a "Type of dynamic link library file that can only be opened by Excel."
Microsoft Office files, particularly Excel and Word files, have been targeted by some cybercriminals for a long time. As exposed in new research from Cisco Talos, threat actors might leverage event handling functions in Excel files in order to automatically launch.
A report released on Tuesday by researchers from Cisco's Talos threat intelligence group dissected one: XLL files in Excel. Microsoft describes XLL files as "a type of dynamic link library file that can only be opened by Excel".
Researchers report a new version of the JSSLoader remote access trojan being distributed malicious Microsoft Excel addins. The latest campaign involving a stealthier new version of JSSLoader was observed by threat analysts at Morphisec Labs, who say the delivery mechanism is currently phishing emails with XLL or XLM attachments.
The infamous Emotet malware has switched tactics yet again, in an email campaign propagating through malicious Excel files, researchers have found."Emotet's new attack chain reveals multiple stages with different file types and obfuscated script before arriving at the final Emotet payload," Unit 42 researchers Saqib Khanzada, Tyler Halfpop, Micah Yates and Brad Duncan wrote.
The HP Wolf Security threat research team identified a wave of attacks utilizing Excel add-in files to spread malware, helping attackers to gain access to targets, and exposing businesses and individuals to data theft and destructive ransomware attacks. There was a huge six-fold increase in attackers using malicious Microsoft Excel add-in files to infect systems compared to last quarter - a technique found to be particularly dangerous as it only requires one click to run the malware.
Microsoft has announced that Excel 4.0 macros will now be disabled by default to protect customers from malicious documents. Starting July 2021, Windows admins could also use group policies and users the 'Enable XLM macros when VBA macros are enabled' setting from the Excel Trust Center to disable this feature manually.