Microsoft to further deter malware attacks by blocking internet-downloaded XLL add-ins

Microsoft will introduce a new security measure to deter hackers from distributing malware using XLL add-ins. As spotted by Bleeping Computer, the Redmond company will start blocking XLL add-ins from the internet by March once the new capability becomes generally available in March.

According to the software giant, the plan to implement the new measures resulted in its goal to fight the growing number of malware attacks, which have become increasingly prevalent in recent months. In its Microsoft 365 roadmap, the company details that it will soon be introduced to worldwide desktop users of its Excel product in Monthly Enterprise Channel, Semi-Annual Enterprise Channel, General Availability, Preview, and Current Channel.

The new move reflects the HP Wolf Security Threat Insights Report published last year, highlighting “a near-sixfold surge in attackers using Excel add-ins (.XLL) to infect systems.” Cisco Talos, meanwhile, said that “currently, a significant number of advanced persistent threat actors and commodity malware families are using XLLs as an infection vector and this number continues to grow.”

XLL is an extension for Excel add-ins and basically a DLL (dynamic-link libraries) file. It is uncommon for such files to be used as email attachments since they are commonly installed by admins. Nonetheless, since the XLL file extension is linked with an icon similar to other Excel-supported extensions, clueless individuals might mistake them for other Excel file formats. This will push such users to open them. And while Excel will show a standard warning about the security concern, a single click on the “enable” button can execute the add-in. Once activated, the malware delivery will start in the background, allowing the hackers to run malicious codes on the machine.

“…XLL files can be a good choice for adversaries seeking to gain an initial foothold on a victim machine,” said Unit 42 by Palo Alto Networks. “An attacker can get code packaged into a DLL loaded by Excel, which in turn may mislead security products that are not prepared to deal with this scenario.”

Currently, the ultimate way users can do to protect themselves from malware being delivered by XLL is by turning down download links, attachments, or emails containing the file. This is especially suggested for suspicious emails and links from unknown senders and websites (including fake ones), as bad actors can disguise the files to make them appear like legit documents. 

Once the changes are implemented, Microsoft 365 users will get better protection that will block XLL add-ins downloaded via the internet. This means safety from bad actors relying on the web to distribute their malware. And while the general availability of the upcoming capability might still change, its arrival will be a huge improvement for the security of Microsoft customers.