Microsoft Office is one of the most prolific computer programs ever built. It started as the brainchild of the Microsoft corporation back in the 80's - Bill Gates announced it to the public at COMDEX in 1988. In 2012, Microsoft Office had more than a billion users. Office is a wonderful business and productivity tool that most companies could not function without.

It is for this exact reason, that Office is a perfect platform for exploiting unsuspecting users. It is unfortunately all to easy to embed code in a document. And it is not just limited to Visual Basics for Applications and macros. It does not require any advanced skills to be able to write into a spreadsheet a line of code that can open the command prompt on your computer and execute various functions without your express consent. This type of attack is called a formula injection.

If you are interested in seeing the power of this type of attack, you can use the button below to download a spreadsheet with a formula injection that has a non-malicious payload (in other words, it won't hurt your computer). If you click though all the warnings (something I am telling you here and now not to ever do any other time), the document will open your command prompt and launch your calculator.

See an Example

If you ever get a warning that looks like this:

STOP. DO NOT CLICK YES.

There is absolutely no reason that you will ever need to view or work in a spreadsheet that you did not personally create that is dependent on a secondary application. If you see the words "...needs to start another application," ask yourself why could this be? What information could there possibly be elsewhere on my computer that this spreadsheet needs in order for it to effectively communicate information to me?

Because that's the thing: if the spreadsheet needs to open another application, that means that there is something on you computer it needs to access in order to be effective. This document knows that you have something that it wants. That should throw up the red flags. That should creep you out.

If someone sends you a spreadsheet like this, talk to them, ask for a spreadsheet that has only values, or that at least that is not dependent on outside sources for its information. If you do not know the author of the spreadsheet, for example if you download the document from a website (any website, even our websites, in fact especially our websites), and you get this message, close the document and delete the file from your computer completely. Delete it, and then delete it from the recycling bin. Then, immediately let someone know that you believe that you found a malicious document and explain the circumstances of your concern. The document you found may not be problematic, but there is just no reason at all to take that chance.

The lesson here is to be vigilant and use your logic WHENEVER something seems off. If it looks fishy, it almost definitely is fishy, even if the source appears legitimate. This is especially true when you're using applications that you use all the time. You know how it works, you know what it is supposed to look like, don't click through problems.

Continue to Next Section