It took a few years and one temporary halt, but in July Microsoft finally began blocking certain macros by default in Word, Excel, and PowerPoint, cutting off a popular attack vector for those who target users of Microsoft’s Windows OS and Office suite.

While recent versions of Office block Visual Basic for Applications (VBA) macros by default, older versions of the suite and its component programs remain enormously prevalent.

Blocking macros therefore won’t deter cybercriminals from targeting Microsoft’s signature productivity applications. They’ll just have to find other options.

A report released on Tuesday by researchers from Cisco’s Talos threat intelligence group dissected one: XLL files in Excel.

Microsoft describes XLL files as “a type of dynamic link library (DLL) file that can only be opened by Excel”. They exist to let third-party apps add extra functionality to the spreadsheet.

Miscreants have used XLLs in attacks for several years, with the first malicious samples submitted to VirusTotal in mid-2017.

“For quite some time after that, the usage of XLL files is only sporadic and it does not increase significantly until the end of 2021, when commodity malware families such as Dridex and Formbook started using it,” Vanja Svajcer, outreach researcher for Talos, wrote in the report.

“Currently a significant number of advanced persistent threat actors and commodity malware families are using XLLs as an infection vector and this number continues to grow.”

Those high-profile groups include APT10, a China-linked gang also known as Chessmaster, Potassium, and menuPass that has used XLLs to inject the Anel Backdoor malware. TA410, a cyberespionage group also known as Cicada or Stone Panda, is another user. DoNot, another APT group, and Fin7, a Russia-based organization are also admirers. Fin7 earlier this year began using XLLs sent…