Researcher’s footnote: The death of Macros and the rise of PowerQuery
Microsoft recently updated their Excel tool to no longer allow VBScript software to run from a little button up at the top of your screen which says “enable macros” [1]. Having a couple of excel oriented assignments, I decided to take another look at the functionality which is coming to replace this very old technology. It is true that a lot of companies do rely on using scripts to automate tasks, but in the modern web 2.0 age, we have devices which utilize JSON endpoints to make data not only quick and efficient, but standardized in format. The tool we’re looking at from excel pulls data from the web and plugs it into a spreadsheet with a few clicks. The tool is called PowerQuery [2].
PowerQuery’s ability to pull json’s is quite similar to postman, a tool designed to test endpoints. Postman is more in depth in excel for web purposes, but for extracting data into rows and tables for further synthesis, excel is the dominant tool. Companies who aren’t software oriented are likely using a Microsoft 365 or Office 365 suite of tools to get day to day work done, which may include accounting tasks. If the time saving implications of putting your organization’s sales data behind an internal endpoint for processing sounds absurdly risky for the benefit, it is, but lets just imagine for a moment that this is what happens.
As one may imagine, security with this tool is not at the front of the priority list. We can see there are various permissions and settings for the data’s source, SSL settings and credential types. An interesting setting is how excel can validate to Active Directory Federated services when connecting to external facing databases [3]. This could be a potential vector for getting in the front door, as resources which do not perform this check are prone to leaking critical database files. Of course this is handled much better with specialized tools such as burpsuite or postman. There are also excel service specific permissions, which are not exactly easily replicated by the former tools, but can be part of a well positioned MITM attack if excel’s querys are intercepted and then further tweaked for pentesting purposes.
Another attack type we can see potentially stemming from excel itself. Looking into some hacktricks guides, we see there is indeed a couple of methods available for excel cell injection [4]. Perhaps if one were to lock on or DNS poison an HTTP API endpoint, one could change the values of the cells to make a more sinister message, app or code piece run within this area.
Excel also includes a JSON and XML parser, allowing for the data to be obfuscated a bit before having the user fall for a social engineering trick to complete the rest of the attacker’s commands within the spreadsheet [5].
More research is needed as with most projects. While this is certainly the end of VB Macros, it could be the beginning of something a little more unsettling with PowerQuery. Let me know if you have any thoughts or comments on the matter. Thanks for reading. Stay safe.
[1] https://docs.microsoft.com/en-us/deployoffice/security/internet-macros-blocked
[4] https://book.hacktricks.xyz/pentesting-web/formula-injection
[5] https://theexcelclub.com/how-to-parse-custom-json-data-using-excel/
