Organizations now have one more reason to pay attention to the security settings of their Microsoft Office applications.
Researchers at Mimecast have developed a working proof of concept that shows how attackers can use a legitimate function in Microsoft Excel called Power Query to remotely drop and run malware on a user's system to escalate privileges and other malicious activity.
Such attacks can be hard to detect and could allow attackers to load payloads into Excel spreadsheets directly from the Web or other external source when the document is opened, Mimecast said. Because Power Query is a very powerful feature, the potential for the issue to be abused is great, according to the security vendor.
Mimecast's exploit is the latest involving Dynamic Data Exchange (DDE), a protocol that allows Microsoft applications that use shared memory to exchange data and messages with each other. In the past, researchers and advanced threat groups have demonstrated how DDE can be exploited within Word and other Microsoft Office apps to distribute malware, escalate local privileges, and enable other malicious activity.
In response, Microsoft issued guidance in January 2018 recommending that organizations disable the DDE feature where it is not needed to block external data connections. The company has also noted that for DDE exploits to work, a user would need to click through multiple security prompts. Warnings are displayed on all currently supported Excel versions before loading external data and before executing a command from a DDE formula.
But Meni Farjon, chief scientist of advanced threat detection at Mimecast, says it's unclear how many organizations are following the advice. "It is unlikely that many organizations have disabled it," he says.
The default setting is for DDE to be enabled, which means an organization is vulnerable to exploits targeting the protocol, he says. "It is hard to say that organizations have disabled this feature because some of them rely on these Excel features."
DDE and Social Engineering
Mimecast's new exploit shows how attackers can use Power Query to launch a remote DDE attack in an Excel spreadsheet.
Power Query is a feature in Excel that lets users to connect their spreadsheets with other structured and unstructured data sources, including web pages, text files, databases, Active Directory, Exchange, Hadoop, and even Facebook. It's one of three data analysis tools available with Excel and allows users to discover, combine, and refine their data in various ways.
Mimecast researchers discovered that Power Query's ability to link spreadsheets to other sources and load data from them into an Excel spreadsheet could be abused relatively easily to launch sophisticated and hard-to-detect attacks. "Using Power Query, attackers could embed malicious content in a separate data source, and then load the content into the spreadsheet when it is opened," the company said in an advisory Thursday.
Mimecast's proof of concept shows how an external web page hosting a malicious payload can be loaded into an Excel spreadsheet. "An attacker just needs to open up an Excel document and follow a few clicks to create the issue — no reverse engineering, no hex editing, no memory abuse," Farjon says.
For an attack to work, a threat actor would need to send a crafted Excel file to the victim via a phishing email or use some other social engineering tactic to get that person to open the document. At that point, the document would make a query or request for the malicious payload hosted on the web page.
Antivirus tools wouldn't spot the crafted file as being malicious because the payload would not be embedded in it. And attackers could ensure the payload bypasses antivirus and sandboxing controls when being loaded from the external web page by adding a specific HTTP header in the request, Mimecast said.
"It is very easy and fast to craft, so it makes it viable for both opportunistic and high-scale attacks," Farjon says. A user, however, would need to click on a warning box in order to enable the remote content, he adds. "This isn't a configuration issue since it is enabled by default. It's a security issue rather than a security vulnerability, as per Microsoft," he says.
Microsoft itself pointed to its previous guidance around DDE in response to Mimecast's new exploit. "For this technique to work, a victim would need to be socially engineered to bypass multiple security prompts prior to loading external data or executing a command from a DDE formula," a spokeswoman said in an emailed statement.