They consider the classic spreadsheet program of Microsoft to be mostly boring. Sure, it can argue data, but it's not exactly Apex Legends . But it's a lot of fun for hackers. Like the rest of the Office 365 suite, attackers often manipulate Excel to trigger their digital attacks. Two new results show how the program's own legitimate functions can be used against it.
On Thursday, MIMEcast intelligence researchers uncover findings that an Excel feature called Power Query can be manipulated to facilitate established Office 365 system attacks. Power Query allows users to combine data from multiple sources with a single table, such as A database, a second spreadsheet, a document, or a Web site. However, this mechanism for linking to another component may also be misused to associate with a malicious web page containing malware. In this way, attackers can distribute manipulated Excel spreadsheets, from assigning system permissions to attackers to installing backdoors.
"Attackers do not have to invest in a very ingenious attack, but can simply open Microsoft Excel and use their own tools," says Meni Farjon, chief scientist at Mimecast. "And you basically have 1
Farjon suggests that once Power Query connects to a malicious Web site, attackers could launch something like a Dynamic Data Exchange attack that exploits a Windows protocol that uses data in an operating system can share. Digital systems are usually set up for silo programs so they can not interact without permission. Protocols like DDE are thus a kind of mediator in situations where it would be useful for programs to compare notes. However, attackers can embed the commands that trigger DDE into their Web site, and then use Power Query commands in a malicious table to merge the site's data with the table and trigger the DDE attack. You could also use the same flow type to transfer other malware to a target system through Power Query.
Microsoft offers prompts that warn users when two programs are linked through DDE, but hackers have started DDE attacks from Word documents, and Excel spreadsheets since about 2014 have been forcing users to click through the prompts ,
"It's simple, exploitable, cheap and reliable."
Meni Farjon, Mimecast
In a Security Notice from 2017 Microsoft suggested how to avoid the attacks, such as: For example, disabling DDE for various Office suite programs. However, the results of Mimecast are another way to launch them on devices that do not have these workarounds. After the researchers shared their Power Query results with Microsoft in June 2018, the company said it would not make any changes to the feature and has not done so ever since. According to Farjon, the company has been waiting a year to disclose the results in the hope that the company would change its mind. And while Mimecast has yet to see any indication that Power Query is being manipulated for attacks in the wild, researchers also point out that the attacks are hard to detect as they come from a legitimate trait. Security tools would need to include special monitoring features to capture the activity.
"Unfortunately, I think attackers will definitely use it," says Farjon. "It's easy, exploitable, cheap and reliable."
Regardless, Microsoft's own security intelligence team warned last week that attackers are actively exploiting another Excel feature to even compromise Windows computers when they have the latest security updates. This attack, which currently appears to target Korean users, is started through malicious macros. Macros have been a plague for Excel and Word for years, because they are components that can execute a series of commands and therefore can be programmed to execute a series of malicious statements. Macros are thought of as a useful automation tool, but advanced features are associated with potential abuse.
Understandably, Office 365 users want new helpful features, but every new component also carries a potential risk of abuse. The more powerful and flexible the programs are, the more hackers can find malicious methods of manipulation. Microsoft announced that the Windows Defender scanning system was able to block the macro cases of the past week because it knew exactly what to look for. However, the results of Mimecast remind us that there are always other options that are just waiting to be exploited by hackers.
"It's becoming increasingly difficult to use" traditional "exploitation methods to infect an organization," says Ronnie Tokazowski, a senior threat researcher at email security company Agari. "But if attackers find a feature they can abuse, they do not have to worry about finding an exploit or which version of Windows they're targeting, they're just trying to find the path of least resistance." 19659003] Microsoft states that both macros and Power Query can be controlled by using an Office 365 administration feature called Group Policy. Essentially, administrators can adjust the settings on all of their company's devices at the same time. Users who need to disable certain features to be protected from attacks ask if the feature should be available at all.