New Microsoft Excel Attack Vector Surfaces
28 Jun 2019
A feature in Microsoft Office’s Excel spreadsheet program
called Power Query can be exploited to plant malware on remote systems.
Researchers at Mimecast Threat Center say they have developed a
proof-of-concept attack scenario and reported the vulnerability Thursday.
The exploitable feature in Excel, called Power Query, allows
users to embed outside data sources such as external databases or web-based
data into a spreadsheet. Mimecast developed a technique to launch a remote
Dynamic Data Exchange (DDE) attack into an Excel spreadsheet, deliver a
malicious payload and actively control the payload via Power Query.
“Power Query could also be used to launch sophisticated,
hard-to-detect attacks that combine several attack surfaces. Using Power Query,
attackers could embed malicious content in a separate data source, and then
load the content into the spreadsheet when it is opened,” wrote Ofir Shlomo,
security research team leader at Mimecast in a technical description of the
proof-of-concept (PoC) attack.
Mimecast said it worked with Microsoft in its disclosure
process; however Microsoft declined to release a fix. Instead, Microsoft is
suggesting a workaround mitigation to fend off attacks exploiting the PoC technique.
That includes a 2017 Microsoft Advisory on properly securing
applications when processing Dynamic Data Exchange fields.
One Mimecast attack scenario starts with an adversary
hosting an external webpage on a HTTP server that contains the malicious
payload that will eventually be dropped into the spreadsheet. “The HTTP server
listened locally on port 80 and served DDE content as a response when a request
was received from the spreadsheet,” Shlomo said.
Using Microsoft Excel 2016, the target who is enticed to
open the spreadsheet is prompted to request the malicious webpage hosted
remotely. The request to fetch and load the third-party data is not silent,
rather a user is presented with a dialogue box with the “ok” or “cancel”
options and the URL is clearly shown.
If the user chooses to permit the outside data to load into
the Excel spreadsheet cell, the attack begins. “To make the DDE run, the user
is required to double click the cell that loads the DDE and to then click again
to release it. Those operations will trigger the DDE and launch the payload
that was received from the web,” the researcher wrote.
No User Interaction Required for Payload Delivery
However, researchers say in older versions of Microsoft
Excel 2010 the payload is automatically executed, no user interaction needed.
The command “Get External Data>> From Web” is triggered when opening the
Excel spreadsheet with no “Click to run” prompt. In these requests, Excel uses
an Connections.xml framework in tandem with web properties (webPR) versus
database properties (dbPr). “Unlike ‘dbPr,’ ‘webPr’ [is much simpler and] does
not required any user actions to run the payload,” the researcher explained.
While constructing headers for the web requests for the
malicious payloads, researchers found they could bypass anti-virus and
sandboxing capabilities of targeted systems when creating the PoC using
Microsoft Office 2010. They did this by creating false headers.
“The anti-virus extracted the URL of the HTTP server from
the file but did not parse the headers. When the AV sent a test request, the
server knew this was from the AV and not the spreadsheet,” Mimecast said. “The
DDE will be served only when the ‘Referer’ HTTP header is set to
‘www.google.com.’ Otherwise, the content won’t be served.”
This technique allowed researchers to avoid AV detection. A
separate method was needed for avoiding sandboxing of malicious content. To do
this an adversary could set the Power Query feature to “auto refresh” every
minute. Next, the attacker would send the Excel spreadsheet with no payload
remotely stored. That way no malicious content would be red flagged or need to
Once the document was opened and saved, the attacker could
then load up the external HTTP server with a malicious payload to be delivered
via Power Query.
“Avoiding malicious content that could potentially mark this
file as malware by forcing the file to refresh data when opening the file and
removing data from the external data range before saving. Those properties
ensure that the payload in the file will update when the file is opened,” the
According to researchers, setting the refresh interval to
one minute meant “every sandbox that executed the file in less than 10 minutes
would never get [the] payload.”
The sandoxing obfuscation was not a sure bet and the PoC
worked a portion of the time.
“Attackers are looking to subvert the detections that
victims have. While there is a chance that this kind of attack may be detected
over time as threat intelligence is shared between various security experts and
information sharing platforms, Mimecast strongly recommends all Microsoft Excel
customers implement the workarounds suggested by Microsoft as the potential
threat to these Microsoft users is real and the exploit could be damaging,”
Share this link: