A new security option will be added to Microsoft 365 as early as March of this year.
Microsoft is working on adding XLL add-on protection for Microsoft 365 customers. The standard way is that XLL files downloaded from the Internet will be automatically blocked. Despite the potential inconvenience, this will help to cope with the growing number of malicious campaigns using this method of infection. Already this March, the option is planned to be “deployed” to the majority of existing Microsoft 365 users.
"To combat the growing number of malware attacks in recent months, we have decided to automatically block XLL add-ons coming from the Internet," says the Redmond corporation.
Excel XLL add-ins are dynamic link libraries (DLLs) used to extend the functionality of Microsoft Excel. Attackers use them in phishing campaigns to distribute various malicious data. XLLs are delivered to victims' computers as download links or attachments disguised as documents from trusted individuals.
As soon as the target opens an unsigned XLL file, a warning pops up about "potential security-related content" and that "add-ons may contain viruses or other security risks." You will be prompted to enable the add-in for the current session only.
If you ignore the Office warning (which they do in most cases) and run the add-in, it will immediately begin deploying the malware payload in the background.
Since XLL files are executable and can be used by attackers to run malicious code, you should only open them if you are 100% sure that the add-ons are from a trusted source. Also, these files are usually not sent as email attachments, but installed by a Windows administrator. Therefore, if you receive an email or any other message that contains XLL files, you definitely should not download and open them.
More than a year ago, in the Threat Insights Report Q4 2021, the HP Threat Analyst team reported a “nearly sixfold increase in the number of attackers using Excel add-ins.” Probably, the number of cases of malicious use of add-ons has grown even more since then, since Microsoft went to such measures.
As Cisco Talos reported in a January report, XLL files are currently being used by both financially motivated attackers and government-backed hacker groups (APT10, FIN7, Donot, TA410).
Such a policy of interaction with suspicious files for Microsoft is far from new. In July 2022, locks affected Office VBA macros, and in March 2021, XLM macros. Of course, all these restrictions bring a lot of inconvenience to the end user of Office, but all Microsoft's actions, one way or another, are aimed at security.