Cyberattacks Via Excel Add-Ins Jump Nearly 600%

Batts Morrison Wales & Lee is sharing this important alert recently published by the Journal of Accountancy and authored by Jeff Drew.  We gratefully acknowledge permission to republish from the Journal. 

BMWL recommends that you share this information with the person(s) or group(s) charged with managing and overseeing IT and data security for your organization.


A new report urges Microsoft Excel users to take action to protect themselves from a dramatic rise in cyberattacks using malicious add-in files.

In its Threat Insights Report for the fourth quarter of 2021, HP Wolf Security said it detected a 588% increase quarter over quarter in attacks using Excel add-ins (.XLL) to infect computer systems and networks with malware.

In the campaigns HP Wolf Security analyzed, users received emails with malicious .XLL attachments or links. Double-clicking the attachment or link opens Excel, which then prompts the user to install and activate the add-in. Most attacks included the malicious code in the xlAutoOpen function, which runs immediately after the add-in is activated. This mode of attack is particularly dangerous because it requires only one click to activate the malware, as opposed to VBA attacks, which require the user to exit Excel's Protected View and enable macros.

The Threat Insights Report recommended three steps organizations could take to protect themselves from .XLL attacks:

  • Configure their email gateway to block inbound emails that have .XLL attachments. Some email gateways already do this because .XLL files are dynamic link libraries (DLLs), a type of file not often sent by email.
  • Configure Excel to allow only add-ins from trusted publishers.
  • Configure Excel to disable all proprietary add-ins.

HP Wolf Security identified seven malware families being delivered via malicious Excel add-ins. The types of malware detected were Agent Tesla, BazaLoader, Bitrat, Dridex, Formbook, IcedID, and Raccoon Stealer. Advertisements promoting the malware were found on underground forums for prices as high as $2,100. One forum post, shown in the report, shows an "XLL Excel Dropper" that allows users to specify an executable file or a link to the malware and a decoy document to fool recipients after they have opened the add-in. The tool generates a malicious .XLL file that can then be used in attacks.

While organizations should be aware of the .XLL threat, the report said, it is yet to be seen if that vector of attack will become more prevalent than established Excel attacks delivering malware via Excel4 macros, Dynamic Data Exchange (DDE), and VBA.

This publication is for general informational and educational purposes only, and does not constitute legal, accounting, tax, financial, or other professional advice. It is not a substitute for professional advice. For permission to reprint, please contact us.  © 2024 Batts Morrison Wales & Lee, P.A.  All rights reserved.