Malicious Code Via Excel Power Query

That potential malicious code is spread via Office documents is not really unknown. But now security researchers from Mimecast Threat Center have discovered that not only Office macros can be used for attacks, but also a technology that has so far received much less attention. With the Excel Power Query feature, attackers are able to manipulate Excel documents to reload and execute the malicious code from a remote server through Dynamic Data Exchange (DDE).

Unlike Office macros, the Power Query feature in Excel is not disabled by default and does not require user interaction to run in some circumstances. Also, to overcome the security features of the antivirus software did not turn out to be too much of a hurdle. The Power Query Advanced Mode can be used to generate both a specific HTTP query header, which only the server with the malicious code can interpret, and a delayed delivery of the header, which makes sandbox analysis more difficult.

According to Mimecast, Microsoft does not plan a patch for this "Excel vulnerability," but recommends to implement the security advisories for effectively fighting DDE exploits from 2017.

Power Query is included in Microsoft Excel versions 2016 and 2019 and is available as an add-in for older versions. The feature enables Excel to import data and files from external sources, such as databases, Web pages, or other data sources.

Source: heise online