In the wake of Microsoft’s effort to phase out support for VBA macros in Office docs, cybercriminals have now turned to use XLL files to embed malicious code in docs. FIN7, an infamous cybercrime threat actor, started using XLL files as attachments in email campaigns early this year. Additional threats spotted using the XLL files include Dridex, FormBook, AgentTesla, Lokibot, and Ducktail.