Microsoft will block Excel XLL files from the Internet - The Register

Microsoft will block Excel XLL files from the Internet – The Register

In March, Microsoft will begin blocking Excel XLL add-ins from the Internet to shut down an increasingly popular attack vector for bad guys.

In a one-sentence note to its Microsoft 365 roadmap, the provider said the move was in response to the “increased number of malware attacks in recent months.”

Security researchers have said that after Microsoft began blocking Visual Basic for Applications (VBA) macros by default in Word, Excel, and PowerPoint in July 2022 to cut off a popular attack avenue, threat groups began to use other options, such as LNK and ISO files. and RAR attachments.

In December, Cisco’s Talos threat intelligence group detailed another tool that cybercriminals were targeting: Excel XLL files. Talos researchers not only looked at how criminals use XLL files, but also detailed a sharp increase in their use since Microsoft closed the door on VBA macros, noting that the first malicious samples were submitted to VirusTotal in 2017. .

“For quite some time after that, the use of XLL files is only sporadic and doesn’t increase significantly until late 2021, when commodity malware families like Dridex and Formbook started using it,” Vanja Svajcer, Talos Disclosure Researcher he wrote in the report.

That shouldn’t come as a surprise, said Dave Storie, an antagonistic collaboration engineer at LARES Consulting. Register.

“When organizations like Microsoft reduce the attack surface or increase the effort required to execute an attack on their product offerings, it forces threat actors to explore alternative avenues,” Storie said. “This often leads to exploring previously known, perhaps less ideal options for threat actors to achieve their objectives.”

Even before this year, some researchers were seeing bad guys target XLL files. Researchers at HP’s Wolf Security said there was a 588% year-over-year increase in the number of attackers using files to compromise systems in Q4 2021, adding that they expected the trend to continue in 2022, although at that time At the time, it was unclear whether Excel Add-ins would replace Office macros as the cyber weapon of choice.

XLL files are a type of DLL file that only open in Excel and allow third-party applications to add more functionality to spreadsheets. In Excel, if a user wants to open a file with an .XLL extension in Windows Explorer, the system will automatically try to start Excel and open the file, which will cause Excel to display a warning about possible dangerous code, similar to the one that is displayed when the Office document that contains VBA macro code is opened.

And just like with VBA macros, users will often ignore the warning.

“XLL files can be sent via email, and even with the usual anti-malware scanning measures, users can open them without knowing that they may contain malicious code,” Svajcer wrote.

Andrew Barratt, vice president of Coalfire, said Register that reducing the number of dialog boxes that users have to deal with, and that cybercriminals know many will ignore, is a win for security teams.

“To steal a typical information security buzzword, the best way to think of this is as ‘next-generation’ macro attacks,” Barratt said. “As with many of these types of attacks, the best position software can take is to disable the capability and have a notice and alert process. The challenge is that over time we see the message ‘are you sure? sure you fatigue set in.” ®

Leave a Comment

Your email address will not be published. Required fields are marked *