Microsoft intends to stop malware delivery using Excel XLL add ins

Microsoft will soon add XLL protection to Microsoft 365 customers. This includes automated blocking of any files that are downloaded from the Internet.

This will reduce the number of malicious malware campaigns that have been exploiting this infected vector to an increasing extent over the past few years.

Redmond that in order to counter the growing number of malware attacks, they are implementing security measures that will prevent XLL addins from coming off the Internet.

Microsoft claims that the feature will be available to all multi-tenants in March worldwide for users of the current, semi-annual enterprise, and monthly Enterprise channels.

In phishing campaigns, attackers are using to push malicious payloads. These include download links or attachments from trustworthy entities like business partners, or fake advertising requests, holiday gift guide, or website promotions.

Double-clicking on unsigned XLL files to open them will alert the target of potential security threats. Add-ins could contain viruses and other security risks. They are then prompted to activate the add-in.

The malware payload will be installed on victim’s devices in the background if the add-in activation is done (and most people don’t even bother to look at Office alerts).

XLL files can be used by attackers to execute malicious code. You should only open them if they are 100% authentic.

These files should not be sent in email attachments, but are instead installed by Windows administrators. If you get an email or other message containing such files, please delete it and report the message as spam.

Excel XLL warning (BleepingComputer)

As Cisco Talos said in a January report, XLLs are now used by both financially-motivated attackers and state-backed threat groups (APT10, FIN7, Donot, TA410) as an infection vector to deliver first-stage payloads onto their targets’ devices.

Cisco Talos stated that even though XLL addins have been around for a while, it was not possible to identify their use by malicious actors before mid-2017 when APT groups began using them to create a functional backdoor.

We also found that they were used significantly more in the past two years, as more malware families and commodity-based infections adopted XLLs.

In its Threat Insights Report Q4-2021, HP’s Threat Analyst Team that there was a nearly sixfold increase in Excel add-ins (.XLL), attacks one year prior.

XLL attack timeline (Cisco Talos)

This part is part of an overall effort to stop threat actors using malicious Office documents for malware delivery and installation on target computers.

Microsoft announced that from downloaded Office documents starting July 20,22. This makes it more difficult to activate in Office apps such as Access, Excel, PowerPoint and Visio.

The company to M365 in March 2021. This was done by increasing the runtime protection provided by Office 365’s integration with Antimalware Scan Interface, (AMSI), to include Excel 4.0 macro scanning.

Redmond began disabling Excel 4.0 macros (XLM), by default, when they were opened in Microsoft 365 tenants on January 20, 2021.

Microsoft extended support for AMSI apps to Office 365 to protect customers from attacks with VBA macros.