Microsoft is taking a significant step towards improving data protection by blocking untrusted XLL add-ins by default in Microsoft 365 tenants worldwide.
In this article, we’ll delve into this recent development and how it will impact Excel users.
Key Takeaways:
Microsoft first announced the new feature in January of this year, and it has been testing the new feature by rolling it out to insiders.
The new feature is expected to be generally available in multi-tenants worldwide by late March.
With this new feature, Excel Windows desktop apps that run XLL add-ins from untrusted locations will now be blocked by default.
Microsoft stated that the newly added feature is a step towards addressing the growing malware campaigns that exploit different Office document formats for spreading infections.
XLL files are DLLs that enhance the capabilities of Excel with custom functions, dialog boxes, and toolbars.
But, attackers misuse XLL add-ins in phishing attempts to send disguised malicious content, like download links or attachments, from reliable sources such as business partners.
Prior to the introduction of this new feature, XLLs could be used by attackers to infect users who enabled untrusted add-ins despite being warned of the potential security risks.
With the new XLL blocking enabled by default, users will receive an alert when attempting to enable content from untrusted locations, which will inform them of the possible risks and provide additional information about why the warning is being shown.
This latest move by Microsoft is an important security measure to keep users’ data safe.
It follows a summer 2022 decision to stop the abuse of macros in Office files, which were widely used to deploy malware to target endpoints.
That prompted Microsoft to block all macros in Office files downloaded from the internet.
Since then, hackers have started experimenting with alternative methods to deliver various malware payloads, and one methodology that grew popular was XLL add-ins.
Over the past few years, XLLs have been a popular tool for state-backed and financially-motivated attackers to infiltrate their victims’ systems.
Researchers from Cisco Talos revealed that the use of XLLs has notably increased in the last two years as more malware families started utilizing them as an infection vector.
In fact, HP’s threat analyst team reported a sixfold increase in the number of attackers using Excel add-ins in their Q4 2021 threat recap, further highlighting the rising threat posed by XLLs.
With this new feature, Microsoft is ensuring that users have an extra layer of protection against phishing campaigns that use XLL add-ins as an infection vector.
By blocking untrusted XLL add-ins by default, Microsoft is making it harder for attackers to deploy first-stage payloads onto their targets’ systems.
In conclusion, the new default blocking of untrusted XLL add-ins in Microsoft Excel is a welcome development that will provide better protection for users.
This new feature is part of a broader effort by Microsoft to tackle the rise of malware campaigns that have been abusing various Office document formats as an infection vector.
With this new feature, Excel users can feel more confident about the security of their data, knowing that Microsoft is taking steps to protect them against malicious attacks.
