You probably think of Microsoft's classic spreadsheet program Excel as mostly boring. Sure, it can wrangle data, but it's not exactly Apex Legends. For hackers, though, it's a lot of fun. Like the rest of the Office 365 suite, attackers often manipulate Excel to launch their digital strikes. And two recent findings demonstrate how the program's own legitimate features can be used against it.

On Thursday, researchers from threat intelligence firm Mimecast are disclosing findings that an Excel feature called Power Query can be manipulated to facilitate established Office 365 system attacks. Power Query allows users to combine data from various sources with a spreadsheet—like a database, second spreadsheet, document, or website. This mechanism for linking out to another component, though, can also be abused to link to a malicious webpage that contains malware. In this way, attackers can distribute tainted Excel spreadsheets that wreak havoc, from granting attackers system privileges to installing backdoors.

"Attackers don’t need to invest in a very sophisticated attack—they can just open up Microsoft Excel and use its own tools," says Meni Farjon, Mimecast's chief scientist. "And you have basically 100 percent reliability. The exploit will work in all the versions of Excel as well as new versions, and will probably work across all operating systems, programming languages, and sub-versions, because it's based on a legitimate feature. That makes it very viable for attackers."

Farjon suggests that once Power Query connects to a malicious website, attackers could initiate something like a Dynamic Data Exchange attack, which exploits a Windows protocol that lets applications share data in an operating system. Digital systems are usually set up to silo programs so they can't interact without permission. So protocols like DDE exist to be a sort of mediator in situations where it would be useful for programs to compare notes. But attackers can embed the commands that initiate DDE in their website, and then use Power Query commands in a malicious spreadsheet to merge the website’s data with the spreadsheet and set off the DDE attack. They could use the same type of flow to drop other malware onto a target system through Power Query, too.

Microsoft offers prompts that warn users when two programs are going to link through DDE, but hackers have launched DDE attacks from Word documents and Excel sheets since about 2014, tricking users into clicking through the warnings. “We have reviewed claims in the researchers’ report and for this technique to work, a victim would need to be socially engineered to bypass multiple security prompts prior to loading external data or executing a command from a DDE formula," a Microsoft spokesperson told WIRED in a statement.

"It’s easy, it’s exploitable, it’s cheap, and it’s reliable." Meni Farjon, Mimecast

In a 2017 security advisory, Microsoft offered suggestions about how to avoid the attacks, like disabling DDE for various Office suite programs. But Mimecast's findings represent yet another way to launch them on devices that don't have these workarounds in place. After the researchers disclosed their Power Query findings to Microsoft in June 2018, the company said that it would not be making any changes to the feature and hasn't since. Farjon says the company waited a year to disclose the findings, in hopes that the company would change its mind. And while Mimecast hasn't seen any indication that Power Query is being manipulated for attacks in the wild yet, the researchers also point out that the attacks are difficult to detect, because they stem from a legitimate feature. Security tools would need to incorporate specific monitoring features to catch the activity.

"Unfortunately I think attackers will absolutely use this," Farjon says. "It’s easy, it’s exploitable, it’s cheap, and it’s reliable."

Separately, Microsoft's own security intelligence team warned just last week that attackers are actively exploiting a different Excel feature, to compromise Windows machines even when they have the latest security updates. That attack, which seems to currently target Korean-language users, launches through malicious macros. Macros have been a scourge of Excel and Word for years, because they are components that can run a series of commands, and therefore can be programmed to run a series of malicious instructions. Macros are meant to be a helpful automation tool, but with expanded functionality comes potential abuse.