Microsoft Plans to Block All Downloaded Excel XLL Add-Ins

Office 365

Microsoft is planning to make its Office apps more secure by blocking all Excel XLL add-ins downloaded from the internet. The company explained that this move should help to prevent malicious actors from abusing this popular avenue to target Microsoft 365 customers worldwide.

Essentially, XLL files are dynamic-link libraries (DLLs) that enable users to use third-party tools and functions in Microsoft Excel. These files provide additional functionalities (such as dialog boxes, toolbars, and custom functions) that aren’t natively a part of the software.

Last year, Microsoft announced that it’s blocking Visual Basic for Applications (VBA) macros default in Word, Excel, and PowerPoint. Since then, threat actors have been looking for alternative methods (like LNK files and Excel XLL files) to deploy malware payloads. Security researchers have warned that attackers are increasingly using these techniques for data theft, ransomware attacks, and other cybercrime.

“For quite some time after that, the usage of XLL files is only sporadic and it does not increase significantly until the end of 2021, when commodity malware families such as Dridex and Formbook started using it,” explained Vanja Svajcer, Outreach Researcher for Talos.

Microsoft to close malware backdoors by blocking Excel XLL files

To address this problem, Microsoft will soon block all Excel XLL add-ins downloaded from the internet in its Office apps. “In order to combat the increasing number of malware attacks in recent months, we are implementing measures that will block XLL add-ins coming from the internet,” the company said on the Microsoft 365 roadmap.

Overall, this move is a part of Microsoft’s ongoing efforts to block hackers from leveraging malicious Office documents to compromise Windows systems. It should help to prevent them from remotely accessing machines, monitoring activity, and stealing data. The Microsoft 365 listing suggests that this change will begin rolling out in the Current Channel, Monthly Enterprise Channel, and Semi-Annual Enterprise Channel in March.