• Blog/Microsoft Power Query…

Microsoft Power Query…The Hacker’s Power

Microsoft has been introducing useful innovations in Office suite, making it easier to use, providing a better "user-experience" and trying to make this product increasingly open to various data sources.

Let's talk about Microsoft Power Query feature. This add-in for Microsoft Excel helps to improve business intelligence experience in self-service mode, simplifying collaboration, discovery and access to data from a wide range of sources, OData, Web, Hadoop and more [1].

Importing data from a web page in a tabular way has never been so simple (see Microsoft example). Furthermore, it is possible to save and / or export the query within a specific file having the extension “.iqy”.

In order to offer the chance to better understand what we are talking about, the image on the left shows the icon of the file containing the query of the data will be imported and in the right image the contents of the file.

Cyber ​​Criminals have been able to exploit this feature for them self and using these files as attachment to Phishing emails. What has been said is the most up-to-date I can be and to support this I am quoting the Palo Alto analysis, about the new threat actor group "darkhydrus" that targeted middle east government. In July 2018 Cyber ​​Threat Intelligence Team of Palo Alto, known as the “Unit 42”, nalyzed a cyber attack where its peculiarity is hidden behind the use of a particular type of file attached to spear-phishing emails. Inside a password-protected RAR archives there was a Microsoft Power Query file (.iqy).

To demonstrate how is easy for an attacker to exploit this Microsoft's feature, a simulation will be made, rebuilding an attack that using Microsoft Power Query files.

The image above is a reconstruction of how a phishing mail would present itself to the recipients.

Double click on the file it will run Microsoft Excel.

An alert will inform the user of a potential security issue.

This kind of alert may seem unusual, also for a newbie user. Attackers always know how to improve their capabilities, so they have come up with a new way to create documents that do not suspect users and that an analysis of security systems are legal, even if they conceal malicious artifacts to download and run fraudulent content.

Microsoft offers the opportunity to save files in Excel format that contain within them the web query, and therefore the content of the ".iqy" file.

Attackers understood that this way will make the documents attached to the mail much more credible than before.


In order to demonstrate the potentiality of this attack, a small script was created to execute the calculator, saved in a ".dat" file. Finally, this file was uploaded to a remote server and the path was imported into an Excel file via Microsoft Power Query.

Above, an excerpt of the query contained in the "iqy" file in case it is exported from the Excel file.

As you can see from the image below, the email is quite credible. The attached Excel file, in turn, has no fraudulent content because the URL contained within it is a component of the Microsoft Power Query feature.

A reconstruction of how the phishing mail is presented to the recipients.

When opening the "test.xlsx" file, a security warning will be displayed to inform the user that the file has disabled content. This could trigger an alarm bell for the user. Cyber criminals know that users may notice that this is an evil email, for this reason in targeted phishing campaigns, emails "mimics" to come from a colleague's mail box or external entities with whom the target has a frequent business relationship. In this case the victim will be more inclined to underestimate the alert displayed and to enable the content.

The image above shows how the file looks after its execution. It is useful to point out to the reader that the excel sheet to the view does not present anything that could make one think of fraudulent contents hidden inside it. The text “#RIF!”, located inside cell A1, in some way could lure the user to think that the empty sheet and the text string “#RIF!” Is a problem caused by the deactivated contents. In the following image we can see that, by enabling the contents, a second alert signals to the user that another application will be executed.

By clicking on the "Yes" button, the attack take place and the calculator will be started on the victim system.

In order to demonstrate the pervasiveness that this attack may have, the script created previously has been published on pastebin, then the same procedure was followed, including the URL of the "paste", using Microsoft Power Query into an Excel file.

Above is an excerpt of the query contained in the "iqy" file in case it is exported from the Excel file.

The result was not good! The script has been read and calc.exe application has been executed.

Further tests were done by publishing the same script inside HTML web page and into a blog, the result was the same. The content of the scripts was read and executed by Microsoft Power Query. It should be noted that while sites like pastebin may be blocked by corporate URL filtering systems, other sites, having a high reputation, are not and therefore the risk of an infection starts to rise.

The most effective system to prevent cyber attacks remain awareness and information sharing. The user is the weak link in the chain, the one who, if he has had a training based on a structured awareness program, could block an intrusion by identifying those that are the newest and most refined social engineering techniques.

We need to train employees and managers in order to make them conscious and aware about all emails coming from outside.

Next post