Threat Intelligence

    Analyzing the Integration of Python in Microsoft Excel
     

    As Microsoft introduces Python in Excel, Mimecast investigates security, LAMBDA comparisons, and new features

    by Yonatan Baum

    Key Points

    • Excel users can now harness Python in their worksheets, using their favorite data analytics libraries with Excel’s features.
    • When new features like this are announced, the security community is quick to question their safety, prompting us to look back at the safety of previous new features.
    • The Mimecast Research Team has investigated the impact of Excel’s LAMBDA functions and security risks, and how that feature release from 2021 compares to the new Python feature release.

     

    Python is one of the most popular programming languages today, loved by businesses and students alike, and Excel is an essential tool to organize, manipulate, and analyze all kinds of data. But, until now, there hasn’t been a straightforward way to make those two worlds work together. 

    For instance, imagine a scenario where a data-driven startup relies on Python for data analysis, while the business team prefers Microsoft Excel for reporting. Integrating Python and Excel allows the teams to integrate their workflows seamlessly in Excel, bridging the gap and simplifying their workflows.

    Naturally, the security community raises certain concerns about the safety of integrating Python and Excel, especially regarding end-users and their data. In this context, it's important to note that Microsoft 365 (M365) hasn't had a stellar track record when it comes to security, as shown in past vulnerabilities Mimecast has discovered, including MDB Leaker and 3D Office Exploiter. While M365 offers a range of productivity tools, it has faced security issues and vulnerabilities in the past, leading to data breaches and concerns among users.

    In that context, we would like to discuss a Mimecast-researched threat in another Excel feature, LAMBDA. By reviewing the results of a similar threat, we can gain useful insights when assessing a new potential attack vector.

    Excel's 2021 LAMBDA: Uncovering Security Risks

    Announced in 2021, Excel's LAMBDA functions included an exciting new feature that gave users the ability to craft custom functions using Excel’s formula functions as building blocks. LAMBDAs could be called by users on a given cell, by another LAMBDA or even by itself, in a recursive manner.

    As part of our usual threat investigation research, Mimecast Research Labs investigated the feature, looking for ways a hacker might take advantage of it. Eventually, we uncovered a technique that takes advantage of LAMBDAs to hide malware in Excel documents.

    Learn more by watching this talk and demo https://www.youtube.com/watch?v=FMraaIVMtRk

    Comparing Python and LAMBDA in Excel

     

    VBA Macros

    LAMBDA

    Python 

    Announced199320212023
    Requires coding knowledge?YesNoYes
    Execution environmentLocalNo Code ExecutionRemote (Azure)
    Supports external libraries?NoNoYes

    Given our historical research, there’s always more to learn when it comes to Python in Excel.

    Immediately, when comparing the two integrations, LAMBDA and Excel, we can spot the similarities. Both are ways for power users to enhance the existing formula set of Excel. We can also speculate, based on the previously conducted research, that Python in Excel could be used similarly to hide and obfuscate malicious code execution. Python could even pose a more imminent threat, because of the following reasons:

    1. Python is more flexible and more powerful than LAMBDA. This opens new possibilities for usages by hackers that were previously not possible. From harmless CTF games to in the wild zero-day exploits, hackers have taken advantage of Python’s flexibility. 
    2. Unlike LAMBDA, which uses the stricter formula set, making it easier to keep track of, it is theoretically possible for a hacker to hide malicious Python code in plain sight.
    3. Because Python integration in Excel through external libraries or add-ins is common, security risks exist if these libraries or add-ins are not kept up-to-date and secure. Since Python in Excel supports and is highly dependent on external libraries, it would be possible for a single threat actor to execute code on everyone who uses the library.

    The Bottom Line 

    The LAMBDA research can serve as a cautionary tale when considering the Python in Excel integration. This new feature could potentially endanger Microsoft Excel’s user base. Mimecast, as part of the security community, is investigating this feature, continuing to find ways to make the internet as secure as possible.

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top