Microsoft will begin blocking Excel XLL add-ins from the Internet in March to shut down an increasingly popular attack vector for criminals.
In a one-sentence note to its Microsoft 365 roadmap, the vendor said the move was in response to “increasing malware attacks in recent months.”
After Microsoft began blocking Visual Basic for Application (VBA) macros in Word, Excel and PowerPoint by default in July 2022 to cut off a popular attack vector, threat groups began using other options, such as LNK files and ISO and RAR attachments.
In December, Cisco’s Talos threat intelligence group detailed another tool cybercriminals are targeting: Excel XLL files. Talos researchers not only analyzed how crooks use XLL files, but also detailed how their usage has increased dramatically since Microsoft shut down VBA macros, noting that the first malicious samples were submitted to VirusTotal in 2017.
“The use of XLL files will be sporadic for quite some time after that, and it will not increase significantly until late 2021, when commodity malware families such as Dridex and Formbook start using it,” said Vanja Svajcer, outreach researcher at Talos , the report reads.
Dave Storie, Adversarial Collaboration Engineer at LARES Consulting, tells us that this is no surprise register.
“When an organization like Microsoft reduces the attack surface or otherwise increases the effort required to execute attacks against its products, it forces threat actors to explore alternative avenues,” Storie said. “This often leads threat actors to explore previously known, and perhaps less desirable, options to achieve their goals.”
Even before this year, some researchers discovered that criminals were obtaining XLL files. Attackers using these files to compromise systems surged 588% year-over-year in the fourth quarter of 2021, researchers at HP Wolf Security said, adding that they expect the trend to continue in 2022, although it was unclear at the time whether Excel loaded will replace Office macros as the cyber weapon of choice.
An XLL file is a type of DLL file that can only be opened in Excel, enabling third-party applications to add more functionality to the spreadsheet. In Excel, if the user tries to open a file with the .XLL extension in Windows Explorer, the system automatically tries to start Excel and open the file, which triggers Excel to display a warning of potentially dangerous code, similar to opening a file containing a VBA macro code office document.
As with VBA macros, warnings are often ignored by users.
“XLL files can be emailed, and even with usual anti-malware scanning measures, users can open them without knowing that they may contain malicious code,” Svajcer wrote.
Coalfire Vice President Andrew Barratt told register Reducing the number of dialogs users have to deal with — which cybercriminals know many will ignore — is a win for security teams.
“To steal a typical infosec buzzword, it’s best to think of them as ‘next generation’ macro attacks,” Barratt said. “As with many of these attacks, the best position for software to take is to disable the feature and employ prompts and Alerting process. The challenge is that over time we see ‘Are you sure? Definitely fatigued.” ®