New Exploit for Microsoft Excel Power Query

Proof-of-concept, which allows remote code execution, is latest to exploit Dynamic Data Exchange (DDE) and is another reminder why organizations must ensure Office settings are secure.

Organizations now have one more reason to pay attention to the security settings of their Microsoft Office applications.
Researchers at Mimecast have developed a working proof of concept that shows how attackers can use a legitimate function in Microsoft Excel called Power Query to remotely drop and run malware on a users system to escalate privileges and other malicious activity.
Such attacks can be hard to detect and could allow attackers to load payloads into Excel spreadsheets directly from the Web or other external source when the document is opened, Mimecast said. Because Power Query is a very powerful feature, the potential for the issue to be abused is great, according to the security vendor.
Mimecasts exploit is the latest involving Dynamic Data Exchange (DDE), a protocol that allows Microsoft applications that use shared memory to exchange data and messages with each other. In the past, researchers and advanced threat groups have
demonstrated
how DDE can be exploited within Word and other Microsoft Office apps to distribute malware, escalate local privileges, and enable other malicious activity.
In response, Microsoft
issued guidance
in January 2018 recommending that organizations disable the DDE feature where it is not needed to block external data connections. The company has also noted that for DDE exploits to work, a user would need to click through multiple security prompts. Warnings are displayed on all currently supported Excel versions before loading external data and before executing a command from a DDE formula.
But Meni Farjon, chief scientist of advanced threat detection at Mimecast, says its unclear how many organizations are following the advice. It is unlikely that many organizations have disabled it, he says.
The default setting is for DDE to be enabled, which means an organization is vulnerable to exploits targeting the protocol, he says. It is hard to say that organizations have disabled this feature because some of them rely on these Excel features.
DDE and Social Engineering
Mimecasts new exploit shows how attackers can use Power Query to launch a remote DDE attack in an Excel spreadsheet.
Power Query
is a feature in Excel that lets users to connect their spreadsheets with other structured and unstructured data sources, including web pages, text files, databases, Active Directory, Exchange, Hadoop, and even Facebook. Its one of three data analysis tools available with Excel and allows users to
discover, combine, and refine
their data in various ways.
Mimecast researchers discovered that Power Querys ability to link spreadsheets to other sources and load data from them into an Excel spreadsheet could be abused relatively easily to launch sophisticated and hard-to-detect attacks. Using Power Query, attackers could embed malicious content in a separate data source, and then load the content into the spreadsheet when it is opened, the company said in an
advisory
Thursday.
Mimecasts proof of concept shows how an external web page hosting a malicious payload can be loaded into an Excel spreadsheet. An attacker just needs to open up an Excel document and follow a few clicks to create the issue — no reverse engineering, no hex editing, no memory abuse, Farjon says.
For an attack to work, a threat actor would need to send a crafted Excel file to the victim via a phishing email or use some other social engineering tactic to get that person to open the document. At that point, the document would make a query or request for the malicious payload hosted on the web page.
Antivirus tools wouldnt spot the crafted file as being malicious because the payload would not be embedded in it. And attackers could ensure the payload bypasses antivirus and sandboxing controls when being loaded from the external web page by adding a specific HTTP header in the request, Mimecast said.
It is very easy and fast to craft, so it makes it viable for both opportunistic and high-scale attacks, Farjon says. A user, however, would need to click on a warning box in order to enable the remote content, he adds. This isnt a configuration issue since it is enabled by default. Its a security issue rather than a security vulnerability, as per Microsoft, he says.
Microsoft itself pointed to its previous guidance around DDE in response to Mimecasts new exploit. For this technique to work, a victim would need to be socially engineered to bypass multiple security prompts prior to loading external data or executing a command from a DDE formula, a spokeswoman said in an emailed statement.
Related Content:
Microsoft Office Dominates Most Exploited List
Microsoft Patch Tuesday: 64 Vulnerabilities Patched, 2 Under Attack

Enterprise Malware Detections Up 79% as Attackers Refocus
8 Steps to More Effective Small Business Security

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the
conference
and
to register.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
New Exploit for Microsoft Excel Power Query