Microsoft Will Block Excel XLL Files Downloaded from the Internet

Microsoft will block Excel XLL

Microsoft developers are going to block some Excel add-in (.XLL) files for Microsoft 365. The new measures will include automatic blocking of such files downloaded from the Internet.

Let me remind you that we also wrote that Hackers use the .NET library for creating malicious Excel files. Moreover, the media noted that For security reasons, Microsoft disabled macros in Excel 4.0 (XLM).

More recently, researchers have warned that after Microsoft began blocking VBA macros in Office documents downloaded from the Internet (marked Mark Of The Web), attackers had to rethink their attack chains.

Now hackers are increasingly using XLL files in phishing campaigns, disguising them as important documents, promotions, and so on.

Microsoft will block Excel XLL

Although Excel warns about the potential dangers of XLLs, these warnings are usually overlooked by users.

Although the recently developed VBA macro blocking only covers the latest versions of Access, Excel, PowerPoint, Visio, and Word, attackers have already started experimenting with alternative ways to infect and deploy malware.

As Cisco Talos researchers reported, one such “innovation” was the use of XLL files, which Microsoft describes as “a kind of DLL file” that are used to extend the functionality of Microsoft Excel.

Because XLL files are executable, attackers can use them to run malicious code. Even last year, experts warned that XLL files were already being abused by the Chinese hack groups APT10 and TA410 (and they started back in 2017); the Russian-speaking group FIN7, which began using add-on files in their campaigns last summer; famous Dridex malware loader and FormBook loader; as well as other major malware families, including AgentTesla, Ransomware Stop, Vidar, Buer Loader, Nanocore, IceID, Arkei, AsyncRat, BazarLoader, and so on.

Microsoft will block Excel XLL

In order to combat the growing number of malware attacks in recent months, we will take measures that will block XLL add-ons coming from the Internet.Microsoft developers now say.

The company said that the new functionality will become generally available worldwide in March 2023 and will work for users in the Current, Monthly Enterprise and Semi-Annual Enterprise channels.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *