Microsoft on Friday said it would start blocking XLL add-ins from the internet to combat the growing number of malware attacks in recent months.
Bad actors have been exploiting Excel-based XLL add-ins to send phishing lures with malicious malware payloads.
The abuse of Microsoft add-ins by adversaries is not a new concept and it’s a technique that's been used by threat actors for years to execute malicious code, explained Dave Storie, adversarial collaboration engineer at LARES Consulting. Storie said the Microsoft Office Suite has become an attractive mechanism for adversaries to carry out attacks because of its ubiquity in corporate environments and personal machines, which allows threat actors to get a lot of mileage out of their malware.
“The recent rise in the spread of malicious Microsoft add-in's is likely due to the recent hardening of macros implemented by Microsoft in the Office Suite last year,” said Storie. “When organizations like Microsoft reduce the attack surface or otherwise increase the effort required to execute an attack on their product offerings, it forces threat actors to explore alternate avenues. This often leads to exploring previously known, perhaps less ideal, options for threat actors to achieve their objectives.”
Mike Parkin, senior technical engineer at Vulcan Cyber, added that threat actors will always find creative ways to abuse otherwise useful tools. In this case, Parkin said the level of abuse has reached the point where Microsoft has included additional functionality to try and prevent attackers from abusing the XLL feature.
“This is welcome, but also points out how often malicious actors are abusing features of the Office Suite,” said Parkin. “Unfortunately, it’s unclear at this point whether it’s just going to be a warning that users can easily click through, a more proactive ‘off-by-default’ setting, or whether they are going to disable it entirely for XLL files downloaded from the internet.”