Cyberattacks via Excel add-ins jump nearly 600%

By Jeff Drew

A new report urges Microsoft Excel users to take action to protect themselves from a dramatic rise in cyberattacks using malicious add-in files.

In its Threat Insights Report for the fourth quarter of 2021, HP Wolf Security said it detected a 588% increase quarter over quarter in attacks using Excel add-ins (.XLL) to infect computer systems and networks with malware.

In the campaigns HP Wolf Security analyzed, users received emails with malicious .XLL attachments or links. Double-clicking the attachment or link opens Excel, which then prompts the user to install and activate the add-in. Most attacks included the malicious code in the xlAutoOpen function, which runs immediately after the add-in is activated. This mode of attack is particularly dangerous because it requires only one click to activate the malware, as opposed to VBA attacks, which require the user to exit Excel's Protected View and enable macros.

The Threat Insights Report recommended three steps organizations could take to protect themselves from .XLL attacks:

  • Configure their email gateway to block inbound emails that have .XLL attachments. Some email gateways already do this because .XLL files are dynamic link libraries (DLLs), a type of file not often sent by email.
  • Configure Excel to allow only add-ins from trusted publishers.
  • Configure Excel to disable all proprietary add-ins.

HP Wolf Security identified seven malware families being delivered via malicious Excel add-ins. The types of malware detected were Agent Tesla, BazaLoader, Bitrat, Dridex, Formbook, IcedID, and Raccoon Stealer. Advertisements promoting the malware were found on underground forums for prices as high as $2,100. One forum post, shown in the report, shows an "XLL Excel Dropper" that allows users to specify an executable file or a link to the malware and a decoy document to fool recipients after they have opened the add-in. The tool generates a malicious .XLL file that can then be used in attacks.

While organizations should be aware of the .XLL threat, the report said, it is yet to be seen if that vector of attack will become more prevalent than established Excel attacks delivering malware via Excel4 macros, Dynamic Data Exchange (DDE), and VBA.

— To comment on this article or to suggest an idea for another article, contact Jeff Drew at

Where to find June’s flipbook issue

The Journal of Accountancy is now completely digital. 





Leases standard: Tackling implementation — and beyond

The new accounting standard provides greater transparency but requires wide-ranging data gathering. Learn more by downloading this comprehensive report.