Cryptomining with JavaScript in an Excel spreadsheet

Definitely absolutely not predictable.

Cryptomining with JavaScript in an Excel spreadsheet

Well, that didn’t take long.

A few minutes after writing about the potential risks that might be introduced by Microsoft announcing JavaScript support in Excel custom functions, I wondered out loud how long it might take for someone to get a spreadsheet to mine for cryptocurrency.

Turns out I wasn’t the only one to have that idea.

Security researcher Charles Dardaman explains on his blog, how he was able to use Microsoft’s own documentation of how to use JavaScript functions in the Insider Preview edition of Excel to link a spreadsheet to the Coinhive cryptomining service.

Right now, JavaScript in Excel custom functions is only supported in the Developer Preview edition to Office 365 subscribers enrolled in the Office Insiders program. But it seems inevitable that in the not too distant future it will be available in more widely-used versions of Excel as well.

We don’t know what security measures Microsoft will put in place to try to prevent abuse of the functionality, or indeed how well they will work.

For now, here’s Durdaman’s advice:

If you are a Blue Teamer, like me, wondering how to defend against such an attack try to get in front of your IT team and have JavaScript disabled whenever it hits the full Office build. We do not currently know what controls Microsoft will put around JS use, but it will probably be better to just block it before your company becomes dependent upon it.

Found this article interesting? Follow Graham Cluley on Twitter, Mastodon, or Threads to read more of the exclusive content we post.

Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “Cryptomining with JavaScript in an Excel spreadsheet”

  1. Spryte

    "Microsoft’s own documentation" !!!!

    Yikes. Sad to hear

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.