[SingCERT] Microsoft Office's Excel Attack Vector

Published on 02 Jul 2019

Updated on 07 Jan 2020


Security researchers have discovered a new security loophole in Microsoft Office's Excel program. Attackers can exploit a feature found in Excel called Power Query, to launch a remote Dynamic Data Exchange (DDE) attack on an Excel spreadsheet. This could allow an attacker to drop malware, profile a device, and execute arbitrary commands on a user's machine.

For more information and details on the attack vector, visit https://www.mimecast.com/blog/2019/06/exploit-using-microsoft-excel-power-query-for-remote-dde-execution-discovered/

Affected Software

  • Microsoft Office 2016 and older:
    • Excel running Power Query

Successful exploitation of the DDE feature could allow attackers to perform remote code execution and take control of the affected systems to perform malicious activities, such as unauthorised installation of programmes, creating rogue administrator accounts, and being able to view, change, or delete data.


Microsoft has published an advisory (https://docs.microsoft.com/en-us/security-updates/securityadvisories/2017/4053440) on mitigation measures for DDE-related attacks. Users are recommended to apply the mitigation measures immediately.