Microsoft Excel ships with a whole lot of active tools that many users won't ever need, and Excel users should turn off one of those tools if they can.
London-based security firm Mimecast today (June 27) showed how Power Query, an Excel feature that pulls in data from databases, websites or even other Excel documents, can be abused to load and run malware on the recipient's machine.
Power Query is an optional add-on for Excel 2010 and Excel 2013. But for Excel 2016, Excel 2019 and Excel for Office 365, it's called Get & Transform and is built right into the main software. (The tool is not available for Macs.)
No one is actively using Mimecast's proof-of-concept methods to attack Excel users—yet. And in Excel's default settings, the software is set to prompt you before automatically updating data imported from other sources.
Mimecast said it reached out to Microsoft about its attack, but also said that Microsoft declined to change the Power Query/Get & Transform tool because there were already several ways to prevent the attack, especially on the enterprise level.
If you're an ordinary consumer using Excel, you can protect yourself by disabling what Microsoft calls Dynamic Data Exchange (DDE), a broader concept that Power Query/Get & Transform relies upon.
How to disable Dynamic Data Exchange in Excel
1. Click File in the top left corner of the Excel interface.
2. Scroll down to and click Options in the resulting menu.
3. Scroll down to and click Trust Center in the resulting pop-up window.
4. Click the Trust Center Settings button in the resulting frame.
5. Scroll down to and click External Content in the resulting pop-up window's navigation column.
6. Under the heading "Security settings for Workbook Links," select the radio button next to "Disable automatic update of Workbook Links."
7. Click the OK button in the bottom left corner of the window.