Microsoft to block Excel XLL files from the internet • The Register

Microsoft in March will begin blocking Excel XLL add-ins from the web to close down an more and more common assault vector for miscreants.
In a one-sentence be aware on its Microsoft 365 roadmap, the seller mentioned the transfer was in response to “the rising variety of malware assaults in latest months.”
Safety researchers have mentioned that after Microsoft started blocking Visible Fundamental for Software (VBA) macros by default in Phrase, Excel, and PowerPoint in July 2022 to chop off a preferred assault avenue, menace teams started utilizing different choices, comparable to LNK recordsdata and ISO and RAR attachments.

In December, Cisco’s Talos menace intelligence group detailed one other software that cybercriminals had been concentrating on: Excel XLL recordsdata. The Talos researchers not solely broke down how the crooks use the XLL recordsdata however detailed a pointy enhance of their use since Microsoft shut the VBA macros door, noting that the primary malicious samples had been submitted to VirusTotal in 2017.

“For fairly a while after that, the utilization of XLL recordsdata is just sporadic and it doesn’t enhance considerably till the tip of 2021, when commodity malware households comparable to Dridex and Formbook began utilizing it,” Vanja Svajcer, outreach researcher for Talos, wrote within the report.
That should not come as a shock, Dave Storie, adversarial collaboration engineer at LARES Consulting, advised The Register.

“When organizations like Microsoft scale back the assault floor or in any other case enhance the trouble required to execute an assault on their product choices, it forces menace actors to discover alternate avenues,” Storie mentioned. “This usually results in exploring beforehand identified, maybe much less perfect, choices for menace actors to attain their aims.”
Even earlier than this yr, some researchers had been seeing miscreants make their option to XLL recordsdata. Researchers with HP’s Wolf Safety mentioned that in This fall 2021, there was a 588 % year-over-year leap in attackers utilizing the recordsdata to compromise programs, including that they anticipated the development to proceed in 2022, although it was unclear on the time if Excel add-ins would change Workplace macros because the cyber-weapon of selection.

XLL recordsdata are a kind of DLL file which can be solely opened in Excel and allow third-party functions so as to add extra performance to spreadsheets. In Excel, if a consumer desires to open a file with a .XLL extension in Home windows Explorer, the system will mechanically attempt to launch Excel and open the file, triggering Excel to show a warning about doable harmful code, much like that proven when an Workplace doc containing VBA macro code is opened.
And as with VBA macros, customers usually will disregard the warning.
“XLL recordsdata might be despatched by e-mail, and even with the standard anti-malware scanning measures, customers might be able to open them not figuring out that they might comprise malicious code,” Svajcer wrote.

Andrew Barratt, vice chairman at Coalfire, advised The Register that decreasing the variety of dialog bins which customers should take care of – and that cybercriminals know will probably be ignored by many – is a win for safety groups.
“To steal a typical infosec buzzword, one of the simplest ways to consider these are like ‘next-gen’ macro assaults,” Barratt mentioned. “As with lots of a lot of these assaults, the most effective place for the software program to take is to disable the potential and have a prompt-and-alert course of. The problem is that over time we see the ‘are you positive, you are positive’ fatigue set in.” ®