Microsoft Office to Block XLL Add-ins From Internet

Microsoft is getting ready to improve the protection of Office users by automatically blocking more content sourced from the internet.

Building on previous restrictions that applied to macros in Word and Excel documents, the company is now preparing to block XLL add-ins in Excel files.

XLL add-ins are dynamic link library (DLL) files written in C or C++, and which can only be opened in Excel.

Over the past several years, threat actors have been abusing XLL files for the distribution of malware, typically in phishing campaigns that either deliver the XLL as an attachment, or direct the intended victims to malicious websites from where the XLL is automatically downloaded.

“In order to combat the increasing number of malware attacks in recent months, we are implementing measures that will block XLL add-ins coming from the internet,” the latest entry in the Microsoft 365 roadmap reads.

For the time being, the feature is only in development, with intended worldwide general availability set for March 2023.

The blocking of XLL add-ins is the latest step Microsoft is taking towards preventing the use of malicious Office documents for the delivery of malware and for other malicious purposes.

For years, Office documents downloaded from the internet have been automatically opened in Protected View, with a yellow notification being displayed at the top of the document warning users not to trust internet-sourced files.

However, an ‘Enable editing’ button on the notification allows users to exit Protected View and edit the document’s content, but which also results in any macro code included in the file being automatically executed.

To further strengthen the security of its users, Microsoft last year announced that the yellow notification for documents coming from unknown or untrusted sources is being replaced with a red warning that does not allow users to enable macros with a single click. The company also started restricting all Excel 4.0 (XLM) macros by default.