Microsoft Office to Block XLL Add-ins From Internet

For years, Office documents downloaded from the internet have been automatically opened in Protected View, with a yellow notification being displayed at the top of the document warning users not to trust internet-sourced files. However, an ‘Enable editing’ button on the notification allows users to exit Protected View and edit the document’s content, but which also results in any macro code included in the file being automatically executed. Over the past several years, threat actors have been abusing XLL files for the distribution of malware, typically in phishing campaigns that either deliver the XLL as an attachment, or direct the intended victims to malicious websites from where the XLL is automatically downloaded.