New Exploit for Microsoft Excel Power Query

Check that you’re following the advice (linked below)…:

Organizations now have one more reason to pay attention to the security settings of their Microsoft Office applications.

Researchers at Mimecast have developed a working proof of concept that shows how attackers can use a legitimate function in Microsoft Excel called Power Query to remotely drop and run malware on a user’s system to escalate privileges and other malicious activity.

Such attacks can be hard to detect and could allow attackers to load payloads into Excel spreadsheets directly from the Web or other external source when the document is opened, Mimecast said. Because Power Query is a very powerful feature, the potential for the issue to be abused is great, according to the security vendor.

Mimecast’s exploit is the latest involving Dynamic Data Exchange (DDE), a protocol that allows Microsoft applications that use shared memory to exchange data and messages with each other. In the past, researchers and advanced threat groups have demonstrated how DDE can be exploited within Word and other Microsoft Office apps to distribute malware, escalate local privileges, and enable other malicious activity.

In response, Microsoft issued guidance in January 2018 recommending that organizations disable the DDE feature where it is not needed to block external data connections. The company has also noted that for DDE exploits to work, a user would need to click through multiple security prompts. Warnings are displayed on all currently supported Excel versions before loading external data and before executing a command from a DDE formula.

[…]

Original article here