Cyber Alert: Vulnerability Discovered in Microsoft Excel; Rise in Spear-Phishing Attacks

June 28, 2019 by ACA Aponix

This alert contains information about a vulnerability discovered in Microsoft® Excel®, as well as information about a recent rise in spear-phishing attacks attributable to heightened international tensions.

Excel Vulnerability

On June 27, researchers at Mimecast published information on a vulnerability discovered in Microsoft Excel. This vulnerability allows bad actors to install malware on systems and remotely launch attacks.

The vulnerability involves the use of a remote Dynamic Data Exchange (DDE) attack that takes advantage of Excel’s Power Query feature. Power Query enables users to integrate their spreadsheets with external information sources (e.g., databases, web pages).

Attackers can launch a remote DDE attack into an Excel spreadsheet. They can then deliver malicious content into that spreadsheet, and actively control it using the Power Query tool.

The vulnerability is considered particularly dangerous as it can give attackers administrative rights to the workstation the document resides on. Additionally, the embedded malware can be difficult for antivirus and other malware prevention tools to detect. Further, in versions of Excel prior to 2010, the malware payload can be exploited without user intervention, though in later versions users are required to click to run external content.

Microsoft has been notified of the vulnerability. They have declined to issue a fix, pointing instead to a 2017 security advisory detailing methods for securing documents containing DDE fields.

ACA Aponix Guidance

ACA Aponix recommends taking the following actions regarding the Excel vulnerability:

  • Consider adjusting security levels of Excel DDE settings, per the Microsoft advisory.
  • Consider disabling use of DDE and the Power Query feature (though this may impact the usability of related plugins).
  • Monitor logs and systems for any unusual activity.
  • Inform staff of this vulnerability as relates to personal devices and “bring your own” devices used for work purposes.

Rise in Spear-Phishing Attacks from Iranian Hackers

The U.S. Department of Homeland Security has reported a recent rise in spear-phishing cyberattacks attributed to Iranian hackers in response to recent international tensions.

Spear-phishing is a form of social engineering, in which emails from ostensibly known or trusted contacts are sent to specific individuals. The emails aim to entice these individuals to reveal confidential information.

Per Chris Krebs, Director of the DHS Cybersecurity and Infrastructure Security Agency (CISA), spear-phishing and other related attacks are increasingly being used by Iranian actors and proxies. These efforts can include “wiper” attacks, which utilize the theft of information to ultimately lead to the erasing of data and bring down networks.

The attacks are seen as a response to the recent international tensions between the U.S. and Iran, following the downing of a U.S. drone and the increase in U.S. sanctions and U.S. counter cyber activity. The attacks have been noted as targeting U.S. critical infrastructure, the oil and gas industry, and government facilities, among others.

ACA Aponix Guidance

ACA has been made aware of recent examples this past week of targeted attacks that include over $3M in fund money being fraudulently transferred and multiple instances of portfolio companies of clients who have fallen prey to ransomware.

ACA Aponix recommends taking the following actions regarding the rise in spear-phishing attacks:

  • Ensure that information security policies are up to date and in practice.
  • Ensure that all staff have received training regarding phishing, spear-phishing, and related social engineering schemes.
  • Monitor logs and systems for any unusual activity.
  • Inform staff of the heightened attacks, and engage them in efforts to maintain high standards of vigilance.

How We Help

ACA Aponix offers the following solutions that can help your firm ensure strong security:

For More Information

If you have any questions, please contact your ACA Aponix consultant or email us at