Microsoft 365

Microsoft is working on adding XLL add-in protection for Microsoft 365 customers by including automated blocking of all such files downloaded from the ...

Additionally, such files are not generally sent as email attachments but instead installed by a Windows admin. [added XLM macro protection](https://www.bleepingcomputer.com/news/security/microsoft-office-365-gets-protection-against-malicious-xlm-macros/) in M365 by expanding the runtime defense provided by Office 365's integration with Antimalware Scan Interface (AMSI) to include Excel 4.0 (XLM) macro scanning. [in 2018](https://www.bleepingcomputer.com/news/security/microsoft-office-365-customers-get-protection-against-malicious-macros/), Microsoft also extended support for AMSI to Office 365 apps to defend customers against attacks using VBA macros. [Office VBA macros would be auto-blocked](https://www.bleepingcomputer.com/news/microsoft/microsoft-starts-blocking-office-macros-by-default-once-again/) in downloaded Office documents, making it harder to enable in docs downloaded from the Internet in several Office apps (Access, Excel, PowerPoint, Visio, and Word). [APT10](http://blog.talosintelligence.com/xlling-in-excel-malicious-add-ins/) [,](https://blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files) [FIN7](https://www.bleepingcomputer.com/news/security/malicious-microsoft-excel-add-ins-used-to-deliver-rat-malware/), [Donot](https://blog.morphisec.com/apt-c-35-new-windows-framework-revealed), [TA410](https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/)) as an infection vector to deliver first-stage payloads onto their targets' devices. [XLL add-ins](https://learn.microsoft.com/en-us/office/dev/add-ins/excel/make-custom-functions-compatible-with-xll-udf) (Excel DLLs) in phishing campaigns to push various malicious payloads in the form of download links or attachments [camouflaged](https://www.bleepingcomputer.com/news/security/malicious-excel-xll-add-ins-push-redline-password-stealing-malware/) as documents from trusted entities such as business partners or as fake advertising requests, holiday gift guides, and website promotions.