Microsoft has announced that it will now block untrusted XLL add-ins by default in Excel spreadsheets. The change was initially announced in January, and the feature has been tested by Insiders. The new feature will be generally available in multi-tenants worldwide by late March.
XLL add-ins are dynamic-link libraries (DLLs) that can be used to expand the functionality of Microsoft Excel with additional features like custom functions, dialog boxes, and toolbars.
However, attackers have also taken advantage of XLL add-ins in phishing campaigns. They use them to push malicious payloads disguised as download links or attachments from trusted entities such as business partners.
Before being blocked by default, XLLs would allow attackers to infect victims that enabled the untrusted add-ins and opened them even though they were warned that the “add-ins might contain viruses or other security hazards.” After opening the add-ins, the malware would be installed in the background without requiring user interaction.
This is part of Microsoft’s broader effort to tackle the rise of malware campaigns that abuse various Office document formats as an infection vector. The company has been working to remove Office infection vectors used in attack campaigns since 2018, when it extended support for AMSI to Office 365 apps to block attacks using VBA macros.
Since then, Microsoft has disabled Excel 4.0 (XLM) macros, added XLM macro protection, and announced that VBA Office macros are now also blocked by default.
