Home » Technology » Microsoft » Microsoft Now Blocks XLL Add-ins In Excel Due To Increased Attacks

Microsoft Now Blocks XLL Add-ins In Excel Due To Increased Attacks

Microsoft has launched a new security measure for Excel. The spreadsheet now automatically blocks all untrusted XLL add-ins by default. This applies worldwide, users also receive a warning.

The Office team started the change back in January. At that time there was first the announcement in the Microsoft 365 roadmap and then almost at the same time the start of the test phase for insiders.

“We’re introducing a default change for Excel Windows desktop applications that run XLL add-ins: XLL add-ins from untrusted locations are now blocked by default,” Microsoft said in a new post in the Microsoft 365 message center. The blocking of the XLL add-ins is now expected to be generally available in multi-tenants worldwide by the end of March. The distribution is currently running to all desktop users in the “Current”, “Monthly Enterprise” and “Semi-Annual Enterprise” channels.

All users should be supplied by the end of March

“We have already completed the rollout for the Insider preview. We will begin the rollout in early March and expect to complete it by the end of March.”

Going forward, if XLL blocking is enabled by default, a warning will be displayed when users try to enable content from untrusted locations. The warning is intended to provide information about the potential risk. The change is part of a broader effort to combat the rise in malware campaigns that have abused various Office document formats as infection vectors in recent years. As early as 2018, Microsoft began removing the first Office infection vectors that were frequently used.

Among other things, support for AMSI on Office 365 apps is Extended to block attacks with VBA macros. Also, Excel 4.0 disabled (XLM) macros, added XLM macro protection and announced that VBA Office macros would be blocked by default.

What are XLL add-ins?

Excel XLL files are dynamic-link libraries (DLLs) designed to extend the functionality of Microsoft Excel with additional features such as user-defined functions, dialog boxes, and toolbars. However, attackers are increasingly using XLL add-ins in phishing campaigns, distributing manipulated data via attachments and pretending to come from known recipients such as business partners.

Before Microsoft blocked the XLLs by default, victims who enabled and opened the untrusted add-ins could be infected. Once opened, the malware was installed in the background without the user doing or noticing anything. In the last two years, more and more malware families have used XLLs as an infection vector.