Microsoft Excel Takes a Stand Against Malware with Default Blocking of Untrusted XLL Add-ins

Microsoft Excel Takes a Stand Against Malware with Default Blocking of Untrusted XLL Add-ins

Table of Content

Microsoft is taking a significant step towards improving data protection by blocking untrusted XLL add-ins by default in Microsoft 365 tenants worldwide.

In this article, we’ll delve into this recent development and how it will impact Excel users.

Key Takeaways:

  • Microsoft is blocking untrusted XLL add-ins by default in Microsoft 365 tenants worldwide to improve data protection and address the growing threat of malware campaigns that exploit Office document formats.
  • XLL files are DLLs that expand Excel’s capabilities with custom functions, dialog boxes, and toolbars. However, attackers misuse XLL add-ins in phishing attempts to send disguised malicious content from reliable sources.
  • Previously, XLLs could infect users who enabled untrusted add-ins despite being warned of the potential security risks. With the new feature, users receive an alert when attempting to enable content from untrusted locations.
  • The new XLL blocking feature provides an extra layer of protection against phishing campaigns that use XLL add-ins as an infection vector, making it harder for attackers to deploy first-stage payloads onto their targets’ systems.
  • Microsoft’s move to block untrusted XLL add-ins by default is an essential step towards data security and protecting users against malicious attacks, following its decision to block macros in Office files downloaded from the internet.

The Announcement

Microsoft first announced the new feature in January of this year, and it has been testing the new feature by rolling it out to insiders. 

The new feature is expected to be generally available in multi-tenants worldwide by late March. 

With this new feature, Excel Windows desktop apps that run XLL add-ins from untrusted locations will now be blocked by default.

Why This Move is Significant

Microsoft stated that the newly added feature is a step towards addressing the growing malware campaigns that exploit different Office document formats for spreading infections. 

XLL files are DLLs that enhance the capabilities of Excel with custom functions, dialog boxes, and toolbars. 

But, attackers misuse XLL add-ins in phishing attempts to send disguised malicious content, like download links or attachments, from reliable sources such as business partners.

Prior to the introduction of this new feature, XLLs could be used by attackers to infect users who enabled untrusted add-ins despite being warned of the potential security risks. 

With the new XLL blocking enabled by default, users will receive an alert when attempting to enable content from untrusted locations, which will inform them of the possible risks and provide additional information about why the warning is being shown.

The Impact on Data Protection

This latest move by Microsoft is an important security measure to keep users’ data safe. 

It follows a summer 2022 decision to stop the abuse of macros in Office files, which were widely used to deploy malware to target endpoints. 

That prompted Microsoft to block all macros in Office files downloaded from the internet. 

Since then, hackers have started experimenting with alternative methods to deliver various malware payloads, and one methodology that grew popular was XLL add-ins.

Over the past few years, XLLs have been a popular tool for state-backed and financially-motivated attackers to infiltrate their victims’ systems. 

Researchers from Cisco Talos revealed that the use of XLLs has notably increased in the last two years as more malware families started utilizing them as an infection vector. 

In fact, HP’s threat analyst team reported a sixfold increase in the number of attackers using Excel add-ins in their Q4 2021 threat recap, further highlighting the rising threat posed by XLLs.

With this new feature, Microsoft is ensuring that users have an extra layer of protection against phishing campaigns that use XLL add-ins as an infection vector. 

By blocking untrusted XLL add-ins by default, Microsoft is making it harder for attackers to deploy first-stage payloads onto their targets’ systems.

Final Thoughts

In conclusion, the new default blocking of untrusted XLL add-ins in Microsoft Excel is a welcome development that will provide better protection for users. 

This new feature is part of a broader effort by Microsoft to tackle the rise of malware campaigns that have been abusing various Office document formats as an infection vector. 

With this new feature, Excel users can feel more confident about the security of their data, knowing that Microsoft is taking steps to protect them against malicious attacks.

share

Written by

Alexander Sterling

Alexander Sterling

Alexander Sterling is a renowned financial writer with over 10 years in the finance sector. With a strong economics background, he simplifies complex financial topics for a wide audience. Alexander contributes to top financial platforms and is working on his first book to promote financial independence.

Reviewed By

Judith

Judith

Judith Harvey is a seasoned finance editor with over two decades of experience in the financial journalism industry. Her analytical skills and keen insight into market trends quickly made her a sought-after expert in financial reporting.