Analyzing the Integration of Python in Microsoft Excel
 

Last month, Microsoft announced a big feature for Excel: Python in Microsoft Excel.

Python is one of the most popular programming languages today, loved by businesses and students alike, and Excel is an essential tool to organize, manipulate, and analyze all kinds of data. But, until now, there hasn’t been a straightforward way to make those two worlds work together. 

For instance, imagine a scenario where a data-driven startup relies on Python for data analysis, while the business team prefers Microsoft Excel for reporting. Integrating Python and Excel would allow the teams to integrate their workflows seamlessly in Excel, bridging the gap and simplifying their workflows.

Naturally, whenever a new and exciting feature is announced, the security community raises certain concerns about the safety of this feature, especially regarding end-users and their data. In this context, it's important to note that Microsoft 365 (M365) hasn't had a stellar track record when it comes to security, as shown in past vulnerabilities Mimecast has discovered, including MDB Leaker and 3D Office Exploiter. While M365 offers a range of productivity tools, it has faced security issues and vulnerabilities in the past, leading to data breaches and concerns among users.

While the community examines this new feature and provides feedback on secure ways of implementing it, we would like to discuss a recent Mimecast-researched threat in another Excel feature, LAMBDA. By reviewing the results of a similar threat, we can gain useful insights when assessing a new potential attack vector.

Excel's 2021 LAMBDA: Uncovering Security Risks

Announced in 2021, Excel's LAMBDA functions included an exciting new feature that gave users the ability to craft custom functions using Excel’s formula functions as building blocks. LAMBDAs could be called by users on a given cell, by another LAMBDA or even by itself, in a recursive manner.

As part of our usual threat investigation research, Mimecast Research Labs investigated the feature, looking for ways a hacker might take advantage of it. Eventually, we uncovered a technique that takes advantage of LAMBDAs to hide malware in Excel documents.

Learn more by watching this talk and demo https://www.youtube.com/watch?v=FMraaIVMtRk

Comparing Python and LAMBDA in Excel

Given our historical research, there’s always more to learn when it comes to Python in Excel.

Immediately, when comparing the two announcements, we can spot the similarities. Both are ways for power users to enhance the existing formula set of Excel. We can also speculate, based on the previously conducted research, that Python in Excel could be used similarly to hide and obfuscate malicious code execution. Python could even pose a more imminent threat, because of the following reasons:

1. Python is more flexible and more powerful than LAMBDA. This opens new possibilities for usages by hackers that were previously not possible. From harmless CTF games to in the wild zero-day exploits, hackers have taken advantage of Python’s flexibility. 
2. Unlike LAMBDA, which uses the stricter formula set, making it easier to keep track of, it is theoretically possible for a hacker to hide malicious Python code in plain sight.
3. Because Python integration in Excel through external libraries or add-ins is common, security risks exist if these libraries or add-ins are not kept up-to-date and secure. Since Python in Excel supports and is highly dependent on external libraries, it would be possible for a single threat actor to execute code on everyone who uses the library.

The Bottom Line 

The LAMBDA research can serve as a cautionary tale when considering the Python in Excel announcement. This new feature could potentially endanger Microsoft Excel’s user base. Mimecast, as part of the security community, is investigating this new feature, continuing to find ways to make the internet as secure as possible.