Microsoft is working on the addition of protecting XLL superstructures for Microsoft 365 customers. Standard method – XLL files downloaded from the Internet will be automatically blocked. Despite potential inconvenience, this will help to cope with the growing number of malicious campaigns using this method of infection. Already in this March, the option is planning to “deploy” to most existing users Microsoft 365.
“to combat the growing number of attacks of harmful programs in recent months, we decided to automatically block XLL superstructures coming from the Internet,” say representatives of the Redmond Corporation.
Excel XLL superstructures are a dynamic layout (DLL) used to expand the functionality of Microsoft Excel. Attackers use them in phishing campaigns to disseminate various malicious data. XLL delivers victims to the computer in the form of links for loading or investing, disguised as documents from proxies.
As soon as the goal opens the unsigned XLL file, the warning about the “potential content related to safety” and that “superstructures may contain viruses or other security threats.” The superstructure will be proposed to be turned on only for the current session.
If you ignore the prevention of Office (which is done in most cases) and start the superstructure, it will immediately begin to deploy the useful load of malware in the background.
Since XLL files are executable, and attackers can use them to launch malicious code, it is worth opening them only with 100% confidence that the superstructures were obtained from a reliable source.
In addition, these files are usually not sent in the form of email investments, but are installed by the Windows administrator. Therefore, if you received an email or any other message that contains XLL files, you should definitely not download and open them.
more than a year ago, in the report Threat Insights Report Q4 2021 A group of HP threats analysts reported “almost six times an increase in the number of attackers using Excel superstructures.” Probably, the number of cases of the malicious use of superstructures from that moment has grown even more, since Microsoft went to such measures.
According to representatives of Cisco Talos already in the January report, the XLL files are currently used by both attackers with financial motivation and hackers supported by the state (APT10, FIN7, Donot, Ta410).
Such a policy of interacting with suspicious files for Microsoft is far from new. In July 2022, blocks touched the Office VBA macros, and in March 2021 – Macro XLM. Of course, all these restrictions give the final user Office a lot of inconvenience, but all the actions of Microsoft, one way or another, are aimed at safety.