Microsoft closes another door to attackers by blocking Excel XLL files from the internet

Microsoft in March will start blocking Excel XLL add-ins from the internet to shut down an increasingly popular attack vector for miscreants.

In a one-sentence note on its Microsoft 365 roadmap, the vendor said the move was in response to "the increasing number of malware attacks in recent months."

Security researchers have said that after Microsoft began blocking Visual Basic for Application (VBA) macros by default in Word, Excel, and PowerPoint in July 2022 to cut off a popular attack avenue, threat groups began using other options, such as LNK files and ISO and RAR attachments.

In December, Cisco's Talos threat intelligence group detailed another tool that cybercriminals were targeting: Excel XLL files. The Talos researchers not only broke down how the crooks use the XLL files but detailed a sharp increase in their use since Microsoft shut the VBA macros door, noting that the first malicious samples were submitted to VirusTotal in 2017.

"For quite some time after that, the usage of XLL files is only sporadic and it does not increase significantly until the end of 2021, when commodity malware families such as Dridex and Formbook started using it," Vanja Svajcer, outreach researcher for Talos, wrote in the report.

That shouldn't come as a surprise, Dave Storie, adversarial collaboration engineer at LARES Consulting, told The Register.

• Microsoft took its macros and went home, so miscreants turned to Windows LNK files
• Microsoft and community release scripts to help mitigate Defender mess
• This Windows worm evolved into slinging ransomware. Here's how to detect it
• Want to sneak a RAT into Windows? Buy Quantum Builder on the dark web

"When organizations like Microsoft reduce the attack surface or otherwise increase the effort required to execute an attack on their product offerings, it forces threat actors to explore alternate avenues," Storie said. "This often leads to exploring previously known, perhaps less ideal, options for threat actors to achieve their objectives."

Even before this year, some researchers were seeing miscreants make their way to XLL files. Researchers with HP's Wolf Security said that in Q4 2021, there was a 588 percent year-over-year jump in attackers using the files to compromise systems, adding that they expected the trend to continue in 2022, though it was unclear at the time if Excel add-ins would replace Office macros as the cyber-weapon of choice.

XLL files are a type of DLL file that are only opened in Excel and enable third-party applications to add more functionality to spreadsheets. In Excel, if a user wants to open a file with a .XLL extension in Windows Explorer, the system will automatically try to launch Excel and open the file, triggering Excel to display a warning about possible dangerous code, similar to that shown when an Office document containing VBA macro code is opened.

And as with VBA macros, users often will disregard the warning.

"XLL files can be sent by email, and even with the usual anti-malware scanning measures, users may be able to open them not knowing that they may contain malicious code," Svajcer wrote.

Andrew Barratt, vice president at Coalfire, told The Register that reducing the number of dialog boxes which users have to deal with – and that cybercriminals know will be ignored by many – is a win for security teams.

"To steal a typical infosec buzzword, the best way to think of these are like 'next-gen' macro attacks," Barratt said. "As with many of these types of attacks, the best position for the software to take is to disable the capability and have a prompt-and-alert process. The challenge is that over time we see the 'are you sure, you're sure' fatigue set in." ®