Microsoft has announced plans for its 365 customers to automatically block all XLL add-in files downloaded from the internet to prevent phishing attacks relying on these types of lures.
Writing on its Microsoft 365 roadmap page, the tech giant has confirmed it intends to implement these plans by March 2023.
"To combat the increasing number of malware attacks in recent months, we are implementing measures that will block XLL add-ins coming from the internet."
According to Dave Storie, adversarial collaboration engineer at Lares Consulting, the abuse of Microsoft add-ins by adversaries is a technique that has been used by threat actors for years to execute malicious code.
"The Microsoft Office Suite is an attractive mechanism for adversaries to carry out attacks due to its ubiquity in corporate environments and personal machines," Storie told Infosecurity via email. "The widespread deployment of the Office suite can allow threat actors to get a lot of mileage out of their malware."
The security expert also added that the recent rise in the spread of malicious Microsoft add-ins is possibly connected to the recent hardening of macros implemented by Microsoft in the Office Suite last year.
"When organizations like Microsoft reduce the attack surface or otherwise increase the effort required to execute an attack on their product offerings, it forces threat actors to explore alternate avenues," Storie explained. "This often leads to exploring previously known, perhaps less ideal, options for threat actors to achieve their objectives."
Mike Parkin, a senior technical engineer at Vulcan Cyber, echoed Storie's point but added that while the feature is welcome, it also points out how often malicious actors abuse the Office suite's features.
"Unfortunately, it's unclear at this point whether [the new feature is] just going to be a warning that users can easily click through, a more proactive 'off by default' setting, or whether they are going to disable it entirely for XLL files downloaded from the internet," Parkin told Infosecurity in an email.
The Microsoft announcement comes weeks after France's digital privacy regulator fined the US tech giant €60m ($65.18m) over advertising cookies.