Cryptomining with JavaScript in an Excel spreadsheet

Definitely absolutely not predictable.

Cryptomining with JavaScript in an Excel spreadsheet

Well, that didn’t take long.

A few minutes after writing about the potential risks that might be introduced by Microsoft announcing JavaScript support in Excel custom functions, I wondered out loud how long it might take for someone to get a spreadsheet to mine for cryptocurrency.

Turns out I wasn’t the only one to have that idea.

Security researcher Charles Dardaman explains on his blog, how he was able to use Microsoft’s own documentation of how to use JavaScript functions in the Insider Preview edition of Excel to link a spreadsheet to the Coinhive cryptomining service.

Right now, JavaScript in Excel custom functions is only supported in the Developer Preview edition to Office 365 subscribers enrolled in the Office Insiders program. But it seems inevitable that in the not too distant future it will be available in more widely-used versions of Excel as well.

We don’t know what security measures Microsoft will put in place to try to prevent abuse of the functionality, or indeed how well they will work.

For now, here’s Durdaman’s advice:

If you are a Blue Teamer, like me, wondering how to defend against such an attack try to get in front of your IT team and have JavaScript disabled whenever it hits the full Office build. We do not currently know what controls Microsoft will put around JS use, but it will probably be better to just block it before your company becomes dependent upon it.

Tags: , , , ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , , ,

One Response

  1. Spryte

    May 10, 2018 at 7:42 pm #

    Microsoft’s own documentation” !!!!

    Yikes. Sad to hear

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.