Microsoft blocks Excel XLL files from the Internet • The registry

In March, Microsoft will begin blocking Excel XLL add-ins from the Internet to close an increasingly popular attack vector for miscreatives.

In a one-sentence note on the Microsoft 365 roadmap, the vendor said the move was in response to “the increasing number of malware attacks in recent months.”

Security researchers have said that after Microsoft began blocking Visual Basic for Application (VBA) macros by default in Word, Excel, and PowerPoint in July 2022 to cut off a popular attack path, threat groups began using other options, such as LNK files and ISO and RAR attachments.

In December, Cisco’s Talos threat intelligence group described another tool that cybercriminals were targeting: Excel XLL files. The Talos researchers not only broke down how bad guys use the XLL files, but detailed a sharp increase in their use since Microsoft closed the door on VBA macros, noting that the first malicious samples were submitted to VirusTotal in 2017.

“For quite a long time after that, the use of XLL files is only sporadic, and it does not increase significantly until the end of 2021, when commodity malware families such as Dridex and Formbook started using it,” Vanja Svajcer, outreach researcher for Talos, wrote in the report.

That shouldn’t come as a surprise, said Dave Storie, adversarial collaboration engineer at LARES Consulting. The register.

“When organizations like Microsoft reduce the attack surface or otherwise increase the effort required to execute an attack on their product offerings, it forces threat actors to explore alternative avenues,” Storie said. “This often leads threat actors to explore previously known, perhaps less ideal, options to achieve their goals.”

Even before this year, some researchers saw malicious people finding their way into XLL files. Researchers with HP’s Wolf Security said that in Q4 2021 there was a 588 percent year-over-year jump in attackers using the files to compromise systems, adding that they expected the trend to continue in 2022, although the at the time, it was unclear whether Excel add-ins would replace Office macros as the cyber weapon of choice.

XLL files are a type of DLL file that only opens in Excel and allow third-party programs to add more functionality to spreadsheets. If a user in Excel wants to open a file with the .XLL extension in Windows Explorer, the system will automatically try to launch Excel and open the file, triggering Excel to display a warning about potentially dangerous code, similar to the one displayed when an Office document containing VBA macro code opens.

And as with VBA macros, users will often ignore the warning.

“XLL files can be sent via email, and even with the usual anti-malware scanning measures, users may be able to open them without knowing they may contain malicious code,” Svajcer wrote.

Andrew Barratt, vice president at Coalfire, said The register that reducing the number of dialog boxes that users have to deal with – and which cybercriminals know will be ignored by many – is a win for security teams.

“To steal a typical infosec buzzword, the best way to think of these is as ‘next-gen’ macro attacks,” Barratt said. “As with many of these types of attacks, the best position for the software to take is to disable the capability and have a prompt-and-alert process. The challenge is that over time we see “are you sure you’re the fatigue sets in of course .” ®

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
%d bloggers like this: