News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Mimecast shows yet another way to zap systems using Excel’s Power Query feature

    Posted on June 27th, 2019 at 09:56 woody Comment on the AskWoody Lounge

    Early this morning, email security company Mimecast released a report detailing how malicious folks can attack by abusing the Excel feature called Power Query:

    Mimecast Threat Center found and developed a technique that uses a feature in Microsoft Excel called Power Query to dynamically launch a remote Dynamic Data Exchange (DDE) attack into an Excel spreadsheet and actively control the payload Power Query.

    The threat they describe isn’t unique — if you’ve been working with Excel for any time at all, you know there are features that just beg to be abused — but it is quite clever.

    The folks at Mimecast gave Microsoft a chance to respond, but

    Mimecast worked with Microsoft as part of the Coordinated Vulnerability Disclosure (CVD) process to determine if this is an intended behavior for Power Query, or if it was an issue to be addressed. Microsoft declined to release a fix at this time and instead offered a workaround to help mitigate the issue.

    Thus, we’re getting a full exposure. For more details, look at Mimecast’s report.