What is the threat?
A feature in Microsoft Excel called Power Query is vulnerable to attack by threat actors leveraging the way this feature accesses data outside the spreadsheet that it resides in. Power Query is a legitimate feature; which allows Excel files to integrate data from external sources such as an external database, text document, another spreadsheet, or a web page. A threat actor can craft a Power Query call to an external server which hosts malware or otherwise allows malicious activity to be initiated on the user’s computer when the spreadsheet is opened. Because the attackers are using a legitimate tool in Excel to gain access to the user’s device, the attack can go undetected.
Why is this noteworthy?
Power Query is a feature-set in many versions of Excel, including the most recent versions (Office 2016 for Windows and Mac). This means that even updated and patched versions of the software have the ability to be impacted by this vulnerability; since the Power Query feature-set is a valid and current tool. The vulnerability is based upon a method called Dynamic Data Exchange (DDE). DDE (not to be confused with Microsoft Exchange, the email service) is a tool-set that permits Microsoft Office documents including Excel spreadsheets to retrieve and utilize data and code from outside of the spreadsheet – such as from a website or shared drive. This makes it viable for attackers to initiate a Dynamic Data Exchange attack, which exploits a Windows protocol that lets applications share data in an operating system. Attacks using this method are common, but this one is notable as it can grant the attackers administrative privileges.
What is the exposure or risk?
Using Power Query, an attacker can embed malicious content in a separate data source – such as a website – and then load that content into the spreadsheet when it is opened and retrieve that website/web component via DDE. The malicious code can be run by the Excel application to install and execute malware to compromise the user’s machine. Using this feature in Power Query, attackers could potentially embed any malicious payload that by designed won’t be saved inside the document itself; but downloaded and executed from the web when the document is opened.
What can you do?
Microsoft has not issued a fix for the vulnerability at this time, but did release an advisory for users, offering a work-around to increase security.
To contain the possible reach of this threat, SKOUT recommends the following:
- Since Power Query has been built on top of DDE, by disabling DDE support in Excel users should also be protected against attacks abusing Power Query; which has been built to work on top of DDE in the first place.
Instructions on how to disable DDE in Excel are available at the link below:
https://docs.microsoft.com/en-us/security-updates/securityadvisories/2017/4053440
- Office 365’s management feature called ‘group policies’ allows administrators to adjust settings for macros and Power Query on all their organization’s devices at once.
- Standard email hygiene methodologies (such as not opening attachments from unknown sources or attachments where the content of that attachment are not already known to the recipient) can help to limit this attack.
References:
For more in-depth information about the recommendations, please visit the following links:
https://docs.microsoft.com/en-us/security-updates/securityadvisories/2017/4053440
http://fortune.com/2019/06/27/microsoft-excel-security-vulnerability/
https://www.wired.com/story/microsoft-excel-hacking-power-query-macros/
If you have any questions, please contact our Security Operations Center Security Operations Center.
