loader gif

Microsoft Excel’s Power Query feature can be exploited to deploy malware

Microsoft Excel’s Power Query feature can be exploited to deploy malware
  • The tool is included in the recent versions of Excel and is available as a separate add-in for older Excel versions.
  • The Power Query attack technique is similar to another exploit that abuses an Excel feature named Dynamic Data Exchange (DDE).

Security experts have come up with a method to abuse Microsoft Excel’s Power Query feature. The technique can allow an attacker to run malicious code on users’ systems. The tool is included in the recent versions of Excel and is available as a separate add-in for older Excel versions.

What is the purpose of Power Query?

Power Query is a data connection technology that can be used to search for data sources, make connections and then shape data (such as remove a column, change a data type or merge tables) as per the requirements.

How can Power Query be abused?

In their research, a security expert from Mimecast Threat Center has described that the technique used to abuse Power Query relies on creating malformed Excel documents. These malformed documents can then use Power Query to import data from an attacker’s remote server.

"Using Power Query, attackers could embed malicious content in a separate data source, and then load the content into the spreadsheet when it is opened. The malicious code could be used to drop and execute malware that can compromise the user's machine,” wrote Mimecast researcher Ofir Shlomo in a blog post.

The technique can even bypass security sandboxes that analyze documents sent via email.

Striking similarity with DDE exploit

The Power Query attack technique is similar to the one that was used to abuse another Excel feature named Dynamic Data Exchange (DDE). The technique was documented in 2017 by SensePost and could be used to distribute malware.

What action has been taken?

Mimecast has contacted Microsoft to inform them about the issue. The IT giant has declined to patch the issue as it is not actually a vulnerability but just a method which bad actors can abuse a feature to do bad things.

loader gif