Mimecast Security Research Team leader Ofir Shlomo said in a blog post that the Power Query tool could be used to launch a remote dynamic data exchange attack into an Excel spreadsheet and control the payload.
Explaining the loophole, to which researcher Doron Attias had contributed, Shlomo wrote: "Power Query is a powerful and scalable business intelligence tool that lets users integrate their spreadsheets with other data sources, such as an external database, text document, another spreadsheet, or a web page, to name a few.
"When sources are linked, the data can be loaded and saved into the spreadsheet, or loaded dynamically (when the document is opened, for example)."
"The feature gives such rich controls that it can be used to fingerprint a sandbox or a victim’s machine even before delivering any payloads, Shlomo said.
"The attacker has potential pre-payload and pre-exploitation controls and could deliver a malicious payload to the victim while also making the file appear harmless to a sandbox or other security solutions."
But Microsoft refused to release a fix for this issue and only outlined a workaround to mitigate the bug, namely to either use a Group Policy to block external data connections or use the Office Trust centre to achieve the same outcome.
"Attackers are looking to subvert the detections that victims have," Shlomo said.
"While there is a chance that this kind of attack may be detected over time as threat intelligence is shared between various security experts and information sharing platforms, Mimecast strongly recommends all Microsoft Excel customers implement the workarounds suggested by Microsoft as the potential threat to these Microsoft users is real and the exploit could be damaging."