dark reading threat intel and cybersecurity news

Microsoft plans to add a feature to Office Excel that will make it harder for cyberattackers to exploit the spreadsheet application’s “add-ins” function to run malicious code on a victim’s computer.

And while it’s a welcome development, Microsoft’s countermeasure is just the latest go-around in the cat-and-mouse game going on between major software makers and cyberattackers, researchers say.

Microsoft Takes Aim at XLLs 

In an update to its Microsoft 365 road map last week, the company stated that it is currently “implementing measures to block XLL [add-in files] coming from the internet,” with a goal to have the feature in general availability sometime in March. 

Excel add-in files are designated with the XLL file extension. They provide a way to use third-party tools and functions in Microsoft Excel that aren’t natively part of the software; they’re similar to dynamic link libraries (DLLs) but with specific features for Excel spreadsheets. For cyberattackers, they offer a way to read and write data within spreadsheets, add custom functions, and interact with Excel objects across platforms, Vanja Svajcer, a researcher with Cisco’s Talos group, said in a December analysis.

And indeed, attackers started experimenting with XLLs in 2017, with more widespread usage coming after the technique became part of common malware frameworks, such as Dridex. The add-in functionality has become increasingly popular with attackers since then; in fact, according to an Arctic Wolf report from early 2022, the use of XLL files increased nearly 600% in 2021.

One of the reasons for that is because Microsoft Office does not block the feature but raises a dialogue box instead, a common approach that Microsoft has taken in the past, Svajcer wrote: “Before an XLL file is loaded, Excel displays a warning about the possibility of malicious code being included. Unfortunately, this protection technique is often ineffective as a protection against the malicious code, as many users tend to disregard the warning.”

That could be an issue even after blocking is in place, Mike Parkin, senior technical engineer at Vulcan Cyber, tells Dark Reading.

“Unfortunately, it’s unclear at this point whether it’s just going to be a warning that users can easily click through, a more proactive ‘off by default’ setting, or whether they are going to disable it entirely for XLL files downloaded from the Internet,” he notes.

Staying Ahead of the Cyberattackers?

For more than two decades, cybersecurity firms have sought to strip out potential avenues for malicious scripts in common files types — such as Office formats or PDF files — but attackers have always adapted

For instance, Visual Basic for Applications (VBA) and Excel 4.0 macros both became so popular over the past five years for malware delivery that Microsoft blocked Office macros by default in the summer of 2022, disallowing macros from running when they have been assigned a Mark of the Web (MotW) tag, which indicates that the document came from the Internet.

Following that decision, threat actors began incorporating Shell Link (LNK) files as payloads for a number of malware families, with their use peaking in October with a spike in usage by the operators behind Qakbot, according to an analysis this week by researchers in Cisco’s Talos intelligence group.

And LNK files aren’t the only file type that’s becoming a more popular way to hide malicious code in the wake of blocking macros. In the third quarter of 2022, for example, zip archives and HTML files became the most common file types for malware delivery, with 44% of malware files hidden in archives, according to the third quarter “HP Wolf Security Threat Insights Report.” 

Even if these alternative approaches are not as efficient or powerful, attackers will have to adopt them to continue to successfully compromise victim’s systems, because companies are hardening their products against more common attack techniques, Dave Storie, an adversarial collaboration engineer at cybersecurity-services firm Lares Consulting, said in a statement sent to Dark Reading.

“When organizations like Microsoft reduce the attack surface or otherwise increase the effort required to execute an attack on their product offerings, it forces threat actors to explore alternate avenues,” he said. “This often leads to exploring previously known, perhaps less ideal, options for threat actors to achieve their objectives.”