Microsoft closes another door to attackers by blocking Excel XLL files from the internet

Microsoft successful March will commencement blocking Excel XLL add-ins from nan net to unopen down an progressively celebrated onslaught vector for miscreants.

In a one-sentence note connected its Microsoft 365 roadmap, nan vendor said nan move was successful consequence to "the expanding number of malware attacks successful caller months."

Security researchers person said that aft Microsoft began blocking Visual Basic for Application (VBA) macros by default successful Word, Excel, and PowerPoint successful July 2022 to trim disconnected a celebrated onslaught avenue, threat groups began utilizing different options, specified arsenic LNK files and ISO and RAR attachments.

In December, Cisco's Talos threat intelligence group detailed different instrumentality that cybercriminals were targeting: Excel XLL files. The Talos researchers not only collapsed down really nan crooks usage nan XLL files but elaborate a crisp summation successful their usage since Microsoft unopen nan VBA macros door, noting that nan first malicious samples were submitted to VirusTotal successful 2017.

"For rather immoderate clip aft that, nan usage of XLL files is only sporadic and it does not summation importantly until nan extremity of 2021, erstwhile commodity malware families specified arsenic Dridex and Formbook started utilizing it," Vanja Svajcer, outreach interrogator for Talos, wrote successful nan report.

That shouldn't travel arsenic a surprise, Dave Storie, adversarial collaboration technologist astatine LARES Consulting, told The Register.

• Microsoft took its macros and went home, truthful miscreants turned to Windows LNK files
• Microsoft and organization merchandise scripts to thief mitigate Defender mess
• This Windows worm evolved into slinging ransomware. Here's really to observe it
• Want to sneak a RAT into Windows? Buy Quantum Builder connected nan acheronian web

"When organizations for illustration Microsoft trim nan onslaught aboveground aliases different summation nan effort required to execute an onslaught connected their merchandise offerings, it forces threat actors to research alternate avenues," Storie said. "This often leads to exploring antecedently known, possibly little ideal, options for threat actors to execute their objectives."

Even earlier this year, immoderate researchers were seeing miscreants make their measurement to XLL files. Researchers pinch HP's Wolf Security said that successful Q4 2021, location was a 588 percent year-over-year jump successful attackers utilizing nan files to discuss systems, adding that they expected nan inclination to proceed successful 2022, though it was unclear astatine nan clip if Excel add-ins would switch Office macros arsenic nan cyber-weapon of choice.

XLL files are a type of DLL record that are only opened successful Excel and alteration third-party applications to adhd much functionality to spreadsheets. In Excel, if a personification wants to unfastened a record pinch a .XLL hold successful Windows Explorer, nan strategy will automatically effort to motorboat Excel and unfastened nan file, triggering Excel to show a informing astir imaginable vulnerable code, akin to that shown erstwhile an Office archive containing VBA macro codification is opened.

And arsenic pinch VBA macros, users often will disregard nan warning.

"XLL files tin beryllium sent by email, and moreover pinch nan accustomed anti-malware scanning measures, users whitethorn beryllium capable to unfastened them not knowing that they whitethorn incorporate malicious code," Svajcer wrote.

Andrew Barratt, vice president astatine Coalfire, told The Register that reducing nan number of dialog boxes which users person to woody pinch – and that cybercriminals cognize will beryllium ignored by galore – is simply a triumph for information teams.

"To bargain a emblematic infosec buzzword, nan champion measurement to deliberation of these are for illustration 'next-gen' macro attacks," Barratt said. "As pinch galore of these types of attacks, nan champion position for nan package to return is to disable nan capacity and person a prompt-and-alert process. The situation is that complete clip we spot nan 'are you sure, you're sure' fatigue group in." ®