Now that Microsoft has again deactivated foreign VBA macros in Office by default and does not run them, there is one less attack vector. Again and again there were dangerous Excel add-ins with the XLL file extension that executed malware after a click. Now this danger is also being shut down by Microsoft – but not until March 2023.
According to The Register, Microsoft will begin blocking Excel XLL add-ins from the web in March in a bid to shut down an increasingly popular attack vector for cybercriminals. In a brief note on the Microsoft 365 roadmap, the manufacturer explained that the move was in response to "the increasing number of malware attacks in recent months."
Excel XLL files also blocked after VBA blockade
As early as July 2022, Microsoft began blocking VBA (Visual Basic for Application) macros in Word, Excel and PowerPoint by default. Since then, hackers have turned to using other options, such as LNK files and ISO and RAR attachments. Excel XLL files have also become the focus of criminals. Security researchers have noticed that their use has greatly increased.
"From the perspective of cybercriminals, the Microsoft Office suite is the perfect target for attacks since it is used by most computer users. Over the past decade, macros built into some of the most popular editors, such as Excel and Word, have become one of the top attack vectors. Often users innocently press the yellow bar with the "Enable Macros" or "Enable Content" button. With just one click, a full-scale attack can be launched, often resulting in ransomware compromise,” said Jake Moore, Global Security Advisor at ESET.
Excel-XXL as a new avenue of attack
“However, since Microsoft decided to ban VBA macros from the internet by default in 2022, this attack vector has lost some of its attractiveness, forcing attackers to look for alternatives. As documented in many research reports and blogs, XLL files have become one of the most popular replacement programs. But that, too, will soon be over as Microsoft wants to shut down this vector as well – good news for users, bad news for criminals.”
What are XLL files?
XLL files are a type of DLL files that only open in Excel. They allow third-party applications to add functionality to spreadsheets. In Excel, when a user tries to open a file with an .XLL extension in Windows Explorer, the system automatically tries to start Excel and open the file. Excel then displays a warning about possible malicious code, similar to opening an Office document containing VBA macro code. And like VBA macros, users often ignore the warning.
More at ESET.com
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.