Microsoft wants to help stop you being hit by Excel malware

The days are numbered for hackers using Excel’s XLL features to deliver malware to Microsoft customers, the company has announced.

XLL files are similar to DLL files and provide the program with a number of advanced features, including custom functions and toolbars. 

Crooks have been using XLL files in phishing attacks, successfully delivering malware, infostealers, and possibly even ransomware in some occasions.

A surge in popularity

Now, Microsoft’s first step is to prevent such files downloaded from the internet from running:

“In order to combat the increasing number of malware attacks in recent months, we are implementing measures that will block XLL add-ins coming from the internet,” the company said in an entry on its Microsoft 365 roadmap. 

For starters, the change will first come to multi-tenant users globally in March 2023, for Microsoft 365 desktop users with Current, Monthly Enterprise, and Semi-Annual Enterprise channels.

While weaponized XLL files have probably been around for a lot longer, they began grabbing people’s attention in early 2022, around the time Microsoft decided to prevent Office files downloaded from the internet from running any macros. As threat actors could no longer use macros to deliver malware to target endpoints, they were increasingly turning towards XLL files. 

In early 2022, HP’s cybersecurity arm Wolf Security analyzed data from “the many millions of endpoints” running its software in 2021 and discovered a 588% increase in the use of Excel add-ins to distribute malware.

The researchers are saying this technique is particularly dangerous because the victims only need one click to compromise their endpoints.

Adverts for an .xll dropper and malware builder have also started popping up on underground markets, making it easy for low-level attackers to launch campaigns with devastating consequences.

As usual, the best way to protect against such attacks is to be extra careful when running any files coming via email, or websites whose authenticity cannot be confirmed. 

Via: BleepingComputer