Microsoft's decision to block Visual Basic for Applications (VBA) macros by default for Office files downloaded from the internet has led many threat actors to improvise their attack chains in recent months.
Now according to Cisco Talos, advanced persistent threat (APT) actors and commodity malware families alike are increasingly using Excel add-in (.XLL) files as an initial intrusion vector.
Weaponized Office documents delivered via spear-phishing emails and other social engineering attacks have remained one of the widely used entry points for criminal groups looking to execute malicious code.
These documents traditionally prompt the victims to enable macros to view seemingly innocuous content, only to activate the execution of malware stealthily in the background.
Read the full article here: APT Hackers Turn to Malicious Excel Add-ins as Initial Intrusion Vector (thehackernews.com)