Microsoft is planning to block all XLL add-in files downloaded from the internet automatically for its 265 customers by March 2023 to prevent phishing attacks relying on these types of lures.
The abuse of Microsoft add-ins by adversaries is a technique that has been used by threat actors for years to execute malicious code. The Microsoft Office Suite evolving as a widespread deployment and is an attractive mechanism for adversaries to carry out attacks due to its ubiquity in corporate environments and personal machines.
The rise in the spread of malicious Microsoft add-ins is possibly connected to the recent hardening of macros implemented by Microsoft in the Office Suite last year.
Since microsoft is decided to close or reduce the attack surface, this might lead the threat actors to explore or discover other mechanisms to achieve their objectives
For now, it’s unclear at this point whether just going to be a warning that users can easily click through, a more proactive ‘off by default’ setting, or whether they are going to disable it entirely for XLL files downloaded from the internet.