CSV injection and client-side Excel DDE attacks are well-known in the security community. This talk explores and demonstrates new ways spreadsheet formulas can be used to exploit servers and cloud platforms supported by spreadsheet technology. By injecting formulas into server-side services and without client interaction, we will demonstrate how we have stolen sensitive data, inserted backdoors, and obtained remote code execution during client engagements.

Security Associate Jake Miller will discuss these new types of Excel exploitation attacks in his Server-side Spreadsheet Injections: Leveraging Spreadsheet Formulas for High-Impact Attacks talk at the Empire Hacking NYC Meetup on Tuesday, June 12, 2018.