You probably think of Microsoft’s classic spreadsheet program Excel as mostly boring. Sure, it can wrangle data, but it’s not exactly Apex Legends. For hackers, though, it’s a lot of fun. Like the rest of the Office 365 suite, attackers often manipulate Excel to launch their digital strikes. And two recent findings demonstrate how the program’s own legitimate features can be used against it.

On Thursday, researchers from the threat intelligence firm Mimecast are disclosing findings that an Excel feature called Power Query can be manipulated to facilitate established Office 365 system attacks. Power Query allows users to combine data from various sources with a spreadsheet—like a database, second spreadsheet, document, or website. This mechanism for linking out to another component, though, can also be abused to link to a malicious webpage that contains malware. In this way, attackers can distribute tainted Excel spreadsheets that wreak havoc, from granting attackers system privileges to installing backdoors.

“Attackers don’t need to invest in a very sophisticated attack, they can just open up Microsoft Excel and use its own tools,” says Meni Farjon, Mimecast’s chief scientist. “And you have basically 100 percent reliability. The exploit will work in all the versions of Excel as well as new versions, and will probably work across all operating systems, programming languages, and sub-versions, because it’s based on a legitimate feature. That makes it very viable for attackers.”

Farjon suggests that once Power Query connects to a malicious website, attackers could initiate something like a Dynamic Data Exchange attack, which exploits a Windows protocol that lets applications share data in an operating system. Digital systems are usually set up to silo programs so they can’t interact without permission. So protocols like DDE exist to be a sort of mediator in situations where it would be useful for programs to compare notes. But attackers can embed the commands that initiate DDE in their website, and then use Power Query commands in a malicious spreadsheet to merge the website’s data with spreadsheet and set off the DDE attack. They could use the same type of flow to drop other malware onto a target system through Power Query, too.

Microsoft offers prompts that warn users when two programs are going to link through DDE, but hackers have launched DDE attacks from Word documents and Excel sheets since since about 2014, tricking users into clicking through the prompts.

“It’s easy, it’s exploitable, it’s cheap, and it’s reliable.”

Meni Farjon, Mimecast

In a 2017 security advisory, Microsoft offered suggestions about how to avoid the attacks, like disabling DDE for various Office suite programs. But Mimecast’s findings represent yet another way to launch them on devices that don’t have these workarounds in place. After the researchers disclosed their Power Query findings to Microsoft in June 2018, the company said that it would not be making any changes to the feature and hasn’t since. Farjon says the company waited a year to disclose the findings, in hopes that the company would change its mind. And while Mimecast hasn’t seen any indication that Power Query is being manipulated for attacks in the wild yet, the researchers also point out that the attacks are difficult to detect, because they stem from a legitimate feature. Security tools would need to incorporate specific monitoring features to catch the activity.

“Unfortunately I think attackers will absolutely use this,” Farjon says. “It’s easy, it’s exploitable, it’s cheap, and it’s reliable.”

Separately, Microsoft’s own security intelligence team warned just last week that attackers are actively exploiting a different Excel feature, to compromise Windows machines even when they have the latest security updates. That attack, which seems to currently target Korean-language users, launches through malicious macros. Macros have been a scourge of Excel and Word for years, because they are components that can run a series of commands, and therefore can be programmed to run a series of malicious instructions. Macros are meant to be a helpful automation tool, but with expanded functionality comes potential abuse.

Office 365 users understandably want new, helpful features, but every new component also opens up potential risk for abuse. The more capable and flexible the programs are, the more hackers can figure out malicious ways to manipulate them. Microsoft said that its Windows Defender scanning system was able to block last week’s macros attacks, because it knew what to look for. But Mimecast’s findings are a reminder that there are always other avenues just waiting to be exploited by hackers.

“It’s getting much more difficult to use ‘traditional’ exploitation methods in order to infect an organization,” says Ronnie Tokazowski, a senior threat researcher at the email security firm Agari. “But if attackers can find a feature that they can abuse, they don’t have to worry about finding an exploit or about which flavor of Windows they’re targeting. They’re just trying to find the path of least resistance.”

Microsoft says that both macros and Power Query can be controlled using an Office 365 management feature called “group policies.” It essentially allows administrators to adjust settings on all of their organization’s devices at once. But users needing to disable certain features to stay safe from attacks calls into question whether the feature should be there in the first place.


More Great WIRED Stories