Mimecast Threat Center specialists found that attackers could abuse Microsoft Excel Power Query technology to run malicious code on users’ systems.The Power Query functionality allows Excel files to detect, connect, merge and manage data before importing information from remote sources as an external database, a text document, another table, a web page or something else. In the newest versions of Excel, Power Query is present by default, and for older versions, technology is available as a downloadable add-on.
Analysts at Mimecast Threat Center describe method of attacks that uses modified Excel documents that apply Power Query for importing data from a remote attacker’s server. Wht is worse, experts emphasize that their methodology can be used to bypass sandboxes that analyze documents sent by e-mail.
“Using Power Query, attackers can embed malicious content into a separate data source and then load it into a spreadsheet while it is being opened. Such malicious code can be used to remove and launch malicious programs that can compromise user’s computer”, – write researchers.
It is worth saying that situation around Power Query is very similar to the problem associated with the old Dynamic Data Exchange (DDE) technology. In 2017, SensePost experts found that DDE helps attackers to invade victim systems with malware, and hackers see this as an excellent alternative to malicious macros and Object Linking and Embedding (OLE).
Large botnets quickly began to abuse insecurity of DDE with various malicious campaigns, but Microsoft was in no hurry to fix the problem. All warnings from the company’s information security specialists were answered that DDE is a legitimate feature that does not require any patches or changes. After all, to successfully trigger DDE attacks, user must independently disable Protected Mode and close several prompts and cautions that indicate updating files from remote sources.
However, at the end of 2017, Microsoft developers finally listened to criticism, and use of DDE for Word by default was discontinued. Given the prevalence of the problem, patches were released even for Word 2003 and 2007, whose support has long been discontinued.
Unfortunately, now the situation repeating. The fact is that experts at Mimecast Threat Center have already contacted Microsoft and explained to company’s specialists why Power Query could be dangerous. However, Microsoft representatives do not see a problem here: there are no vulnerabilities in Power Query, and attackers can only abuse legitimate functionality. As a result, company only publishing a security bulletin (4053440), which describes in detail how to configure or disable DDE in Excel, because Power Query was originally designed to work over DDE.