MICROSOFT EXCEL FEATURES-YOU PROBABLY THINK of Microsoft’s classic spreadsheet program Excel as mostly boring. Sure, it can wrangle data, but it’s not exactly Apex Legends. For hackers, though, it’s a lot of fun. Like the rest of the Office 365 suite, attackers often manipulate Excel to launch their digital strikes. And two recent findings demonstrate how the program’s own legitimate features can be used against it.
On Thursday, researchers from threat intelligence firm Mimecast are disclosing findings that an Excel feature called Power Query can be manipulated to facilitate established Office 365 system attacks. Power Query allows users to combine data from various sources with a spreadsheet—like a database, second spreadsheet, document, or website. This mechanism for linking out to another component, though, can also be abused to link to a malicious webpage that contains malware. In this way, attackers can distribute tainted Excel spreadsheets that wreak havoc, from granting attackers system privileges to installing backdoors.
“Attackers don’t need to invest in a very sophisticated attack—they can just open up Microsoft Excel and use its own tools,” says Meni Farjon, Mimecast’s chief scientist. “And you have basically 100 percent reliability. The exploit will work in all the versions of Excel as well as new versions, and will probably work across all operating systems, programming languages, and sub-versions, because it’s based on a legitimate feature. That makes it very viable for attackers.”
Farjon suggests that once Power Query connects to a malicious website, attackers could initiate something like a Dynamic Data Exchange attack, which exploits a Windows protocol that lets applications share data in an operating system. Digital systems are usually set up to silo programs so they can’t interact without permission. So protocols like DDE exist to be a sort of mediator in situations where it would be useful for programs to compare notes. But attackers can embed the commands that initiate DDE in their website, and then use Power Query commands in a malicious spreadsheet to merge the website’s data with the spreadsheet and set off the DDE attack. They could use the same type of flow to drop other malware onto a target system through Power Query, too.