The DDEvil is in the detail

UPDATED Security researchers have uncovered a security shortcoming in a component of Microsoft Excel that might be abused by hackers to smuggle malware past security defenses.

The newly discovered technique relies on abusing a feature in Microsoft Excel called Power Query, harnessing it to create sophisticated, hard-to-detect attacks.

In normal use, Excel’s Power Query tool lets users integrate spreadsheets with other data sources such as an external database, a text document, another spreadsheet, or web page.

Security researchers from Mimecast found it was possible to use Power Query to embed malware payloads before loading content into the spreadsheet after an intended target opens a booby-trapped file.

The approach could lend itself to either phishing or malware-based attacks. The attack technique might be abused to drop and execute a malicious payload from a file-sharing site.

More specifically the Mimecast team discovered it was possible to dynamically launch a remote Dynamic Data Exchange (DDE) attack into an Excel spreadsheet and actively control the payload Power Query.

DDE is an ageing Microsoft Windows inter-application data communication protocol, these days only supported to provide backward compatibility and legacy support.

Attacks featuring the technique have not been detected in the wild. Mimecast nonetheless warns that the approach is ripe for abuse.

“The feature gives such rich controls that it can be used to fingerprint a sandbox or a victim’s machine even before delivering any payloads,” Mimecast’s Ofir Shlomo explains in a technical blog post.

“The attacker has potential pre-payload and pre-exploitation controls and could deliver a malicious payload to the victim while also making the file appear harmless to a sandbox or other security solutions.”

Mimecast reported the issue to Microsoft as part of a vulnerability disclosure process. Microsoft assessed the problem as being insufficiently serious to merit the development of a patch, instead offering a workaround to help mitigate the issue.

In response to a query from The Daily Swig, Microsoft said the attack technique relied on tricking users through social engineering rather than as a pure software exploit.

“We have reviewed claims in the researchers’ report and for this technique to work, a victim would need to be socially engineered to bypass multiple security prompts prior to loading external data or executing a command from a DDE formula,” Microsoft said.

“A security update was released in January, 2018 for all supported editions of Microsoft Excel allowing customers to set the functionality of the DDE protocol.”

This story was updated on 28 June to add comment on the attack technique from Microsoft