Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Microsoft Office to Block XLL Add-ins From Internet

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Microsoft is getting ready to improve the protection of Office users by automatically blocking more content sourced from the internet.

Building on previous restrictions that applied to macros in Word and Excel documents, the company is now preparing to block XLL add-ins in Excel files.

XLL add-ins are dynamic link library (DLL) files written in C or C++, and which can only be opened in Excel.

Over the past several years, threat actors have been abusing XLL files for the distribution of malware, typically in phishing campaigns that either deliver the XLL as an attachment, or direct the intended victims to malicious websites from where the XLL is automatically downloaded.

“In order to combat the increasing number of malware attacks in recent months, we are implementing measures that will block XLL add-ins coming from the internet,” the latest entry in the Microsoft 365 roadmap reads.

For the time being, the feature is only in development, with intended worldwide general availability set for March 2023.

The blocking of XLL add-ins is the latest step Microsoft is taking towards preventing the use of malicious Office documents for the delivery of malware and for other malicious purposes.

For years, Office documents downloaded from the internet have been automatically opened in Protected View, with a yellow notification being displayed at the top of the document warning users not to trust internet-sourced files.

However, an ‘Enable editing’ button on the notification allows users to exit Protected View and edit the document’s content, but which also results in any macro code included in the file being automatically executed.

To further strengthen the security of its users, Microsoft last year announced that the yellow notification for documents coming from unknown or untrusted sources is being replaced with a red warning that does not allow users to enable macros with a single click. The company also started restricting all Excel 4.0 (XLM) macros by default.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Fortinet warned of three malicious PyPI packages containing code that fetches the Wacatac trojan and information stealer.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery.