Microsoft warns of remote execution exploit in Excel

Office 365 on a screen

A new vulnerability in a Microsoft Excel business intelligence tool has been found to give attackers an opportunity to remotely launch malware and take over a user's system.

Researchers at Mimecast discovered a vulnerability in Power Query (PQ), a powerful and scalable business intelligence tool in Microsoft Excel that allows users to integrate spreadsheets with other areas of their, business such as external databases, text documents and web pages.

The vulnerability is based on a method of data communication between applications which is used across the Microsoft Office suite called Dynamic Data Exchange (DDE). DDE attacks are nothing new, many successful malware campaigns have used the method to compromise documents, however, this particular attack grants perpetrators significant admin privileges.

"In an email attack scenario, an attacker could leverage the DDE protocol by sending a specially crafted file to the user and then convincing the user to open the file, typically by way of an enticement in an email," said Microsoft. "The attacker would have to convince the user to disable Protected Mode and click through one or more additional prompts."

Using the exploit, attackers can fingerprint individual systems belonging to victims, allowing them to deliver harmful code that appears harmless to both sandboxes and other security software the victim may be running.

Mimecast researcher Ofir Shlomo also said that the Power Query exploit could be used to launch sophisticated attacks, difficult-to-detect attacks the combine several attack surfaces.

"Using Power Query, attackers could embed malicious content in a separate data source, and then load the content into the spreadsheet when it is opened," said Shlomo in a research blog shared with IT Pro. "The malicious code could be used to drop and execute malware that can compromise the user's machine."

DDE attacks are infamous for targeting enterprises due to their widespread reliance on Microsoft Office software in workplaces around the world.

APT28 and APT37, Russian and North Korean-linked hacking groups respectively, have both used the technique to good effect in recent years, with other groups utilising malformed Word documents for use in spear phishing campaigns.

"Such attacks are usually hard to detect and gives threat actors more chances to compromise the victim's host," said Shlomo. "Using the potential weakness in Power Query, attackers could potentially embed any malicious payload that as designed won't be saved inside the document itself but downloaded from the web when the document is opened."

Mimecast approached and disclosed the issue with Microsoft when they discovered it as part of Microsoft's Coordinated Vulnerability Disclosure process. While Microsoft has yet to offer a fix for the issue, they did share a workaround.

Microsoft published an advisory document (advisory 4053440) that offers tips and guidance on how to secure applications when they process DDE fields. This includes instructions on how to create custom registry entries for Office and other methods too, each with benefits and drawbacks listed.

"Attackers are looking to subvert the detections that victims have," said Shlomo. "While there is a chance that this kind of attack may be detected over time as threat intelligence is shared between various security experts and information sharing platforms, Mimecast strongly recommends all Microsoft Excel customers implement the workarounds suggested by Microsoft as the potential threat to these Microsoft users is real and the exploit could be damaging."

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.