Microsoft wants to help stop you being hit by Excel malware

Microsoft 365
(Image credit: Microsoft/GTS)

The days are numbered for hackers using Excel’s XLL features to deliver malware to Microsoft customers, the company has announced.

XLL files are similar to DLL files and provide the program with a number of advanced features, including custom functions and toolbars. 

Crooks have been using XLL files in phishing attacks, successfully delivering malware, infostealers, and possibly even ransomware in some occasions.

TechRadar Pro needs you! We want to build a better website for our readers, and we need your help! You can do your bit by filling out our survey and telling us your opinions and views about the tech industry in 2023. It will only take a few minutes and all your answers will be anonymous and confidential. Thank you again for helping us make TechRadar Pro even better.

D. Athow, Managing Editor

A surge in popularity

Now, Microsoft’s first step is to prevent such files downloaded from the internet from running:

"In order to combat the increasing number of malware attacks in recent months, we are implementing measures that will block XLL add-ins coming from the internet," the company said in an entry on its Microsoft 365 roadmap. 

For starters, the change will first come to multi-tenant users globally in March 2023, for Microsoft 365 desktop users with Current, Monthly Enterprise, and Semi-Annual Enterprise channels.

While weaponized XLL files have probably been around for a lot longer, they began grabbing people’s attention in early 2022, around the time Microsoft decided to prevent Office files downloaded from the internet from running any macros. As threat actors could no longer use macros to deliver malware to target endpoints, they were increasingly turning towards XLL files. 

In early 2022, HP’s cybersecurity arm Wolf Security analyzed data from “the many millions of endpoints” running its software in 2021 and discovered a 588% increase in the use of Excel add-ins to distribute malware.

The researchers are saying this technique is particularly dangerous because the victims only need one click to compromise their endpoints.

Adverts for an .xll dropper and malware builder have also started popping up on underground markets, making it easy for low-level attackers to launch campaigns with devastating consequences.

As usual, the best way to protect against such attacks is to be extra careful when running any files coming via email, or websites whose authenticity cannot be confirmed. 

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.