Microsoft will begin blocking Excel XLL add-ins from the Internet in March to close an increasingly common attack vector for malicious actors.
In a one-sentence post on its Microsoft 365 “roadmap,” the vendor says the move is in response to “an increasing number of malicious attacks in recent months.”
After Microsoft began blocking Visual Basic for Application (VBA) macros in Word, Excel, and PowerPoint by default in July 2022 to stop a known attack avenue, threat groups began using other options like LNK files and ISO. and RAR attachments.
In December, Cisco’s Talos threat intelligence team detailed another tool targeted by cybercriminals: Excel XLL files. Talos researchers not only discovered how fraudsters use XLL files, but detailed a sharp increase in their use since Microsoft closed the door on VBA macros, noting that the first malicious samples were submitted to VirusTotal in 2017.
“For quite some time after that, the use of XLL files is only rare, and it doesn’t increase significantly until late 2021, when commodity malware families like Dridex and Formbook start using it,” Talos researcher Vanya Swisher. wrote in the report.
That shouldn’t come as a surprise, said Dave Story, an adversarial collaboration engineer at LARES Consulting. Register.
“When organizations like Microsoft reduce the attack surface or otherwise increase the effort required to attack their product offerings, it forces threat actors to explore alternative avenues,” Storey said. “This often leads to exploring previously known, perhaps less ideal, options for threat actors to achieve their goals.”
Even before this year, some researchers were seeing malware making their way into XLL files. Researchers at HP’s Wolf Security say there was a 588 percent year-over-year increase in attackers using files to compromise systems in Q4 2021, adding that they expect the trend to continue in 2022. although it was not clear at the time whether. Excel add-ins will replace Office macros as the cyberweapon of choice.
XLL files are a type of DLL file that only opens in Excel and allow third-party applications to add more functionality to spreadsheets. In Excel, if the user wants to open a file with an .XLL extension in Windows Explorer, the system will automatically try to launch Excel and open the file, causing Excel to display the potentially unsafe code warning shown when VBA macro code containing the office document opens.
And as with VBA macros, users often ignore the warning.
“XLL files can be sent via e-mail, and even with conventional anti-virus scanning tools, users can open them without knowing they may contain malicious code,” Schweitzer wrote.
Coalfire Vice President Andrew Barratt said Register that reducing the number of dialog boxes that users have to deal with, and that cybercriminals know will be ignored by many, is a win for security teams.
“To steal the typical infosec word, the best way to think of them is like ‘next-generation’ macro attacks,” Barratt said. “As with many of these types of attacks, the best position for software is to disable the capability and have a quick and alert process in place. The problem is that over time we see “are you sure it’s you?” Fatigue has definitely set in.” ®