Microsoft Excel now blocking untrusted XLL add-ins by default

Microsoft says the Excel spreadsheet software is now blocking untrusted XLL add-ins by default in Microsoft 365 tenants worldwide.

The company  this change in January with a new entry added to the Microsoft 365 roadmap when it entered an initial testing phase by first rolling out to Insiders.

The new feature will be generally available in multi-tenants worldwide by late March after rolling out to all desktop users in the Current, Monthly Enterprise, and Semi-Annual Enterprise channels.

“We are introducing a default change for Excel Windows desktop apps that run XLL add-ins: XLL add-ins from untrusted locations will now be blocked by default,” Microsoft said in a new Microsoft 365 message center post.

“We have already completed rolling out to Insiders preview. We will begin rolling out early March and expect to complete by late March.”

Moving forward, in tenants where the XLL blocking will get enabled by default, an alert will be displayed when users try to enable content from untrusted locations, informing them of the potential risk and allowing them to find more information about why they’re seeing the warning.

This is part of a broader effort to tackle the rise of malware campaigns abusing various Office document formats as an infection vector throughout recent years.

Microsoft began working to remove Office infection vectors used in attack campaigns  when it extended support for AMSI to Office 365 apps to block attacks using VBA macros.

Since then, Redmond , , and announced that .

What are XLL add-ins?

Excel XLL files are dynamic-link libraries (DLLs) used to expand the functionality of Microsoft Excel with additional features like custom functions, dialog boxes, and toolbars.

However, attackers are also taking advantage of XLL add-ins in phishing campaigns. They use them to push malicious payloads  as download links or attachments from trusted entities such as business partners.

Before being blocked by default, XLLs would allow attackers to infect victims that enabled the untrusted add-ins and opened them even though they were warned that the “add-ins might contain viruses or other security hazards.”

After opening the add-ins, the malware got installed in the background without requiring user interaction.

XLLs have been used by both state-backed threat groups and financially-motivated attackers ( , , ) to deploy first-stage payloads onto their targets’ systems, according to .

“Their usage significantly increased over the last two years as more commodity malware families adopted XLLs as their infection vector,” Cisco Talos said.

HP’s threat analyst team also  seeing a “near-sixfold surge in attackers using Excel add-ins (.XLL)” in January 2022 as part of their Q4 2021 threat recap.