XLL add-in protection will be added by Microsoft for Microsoft 365 customers by including automated blocking of all such files downloaded from the Internet.
It aims to prevent the growth of malware campaigns abusing this infection vector to an ever-growing extent during the last several years. "In order to combat the increasing number of malware attacks in recent months, we are implementing measures that will block XLL add-ins coming from the internet," Redmond said.
The new feature is expected to reach general availability in multi-tenants worldwide in March for desktop users in the Current, Monthly Enterprise, and Semi-Annual Enterprise channels.
Attackers are using XLL add-ins in phishing campaigns to push various malicious payloads in the form of download links or attachments camouflaged as documents from trusted entities. Excel XLL files are dynamic-link libraries (DLLs) that are generally used to extend the functionality of Microsoft Excel by providing additional features, such as custom functions, dialog boxes, and toolbars.
XLLs are used by both financially-motivated attackers and state-backed threat groups (APT10, FIN7, Donot, TA410) as an infection vector to deliver first-stage payloads onto their targets' devices.
"Even if XLL add-ins existed for some time, we were not able to detect their usage by malicious actors until mid-2017 when some APT groups started using them to implement a fully functional backdoor," Cisco Talos said.
"We also identified that their usage significantly increased over the last two years as more commodity malware families adopted XLLs as their infection vector."