Microsoft has silently added a new Group Policy (GPO) to allow Office 365 admins to block Excel users from opening untrusted Microsoft Query files with IQY, OQY, DQY, and RQY extensions.
Microsoft Query files are used to retrieve data from external sources such as corporate Microsoft Office Access, Microsoft SQL Server, and Microsoft SQL Server OLAP Services servers, Excel workbooks, and even from text files.
This type of file has been increasingly weaponized as part of malicious attacks, with various campaigns having been observed actively using IQY files, for instance, to deliver remote access Trojans and malware loaders since early 2018, with very recent reports also mentioning active campaigns.
Two other new GPOs allow Office admins to make sure that untrusted database files (e.g., DBF) and text-based files (i.e., CSV, DIFF, and SYLK) are always opened in Protected View as discovered by SwiftOnSecurity.
NEW: Excel adds Group Policy to block untrusted Microsoft Query files (.iqy, .oqy, .dqy, .rqy) from opening. These files bypass many security controls to allow infection. Policy requires Office365 license.
Security threat: https://t.co/DVGJPRJKcRADMX: https://t.co/5c4KIoSX5E
— SwiftOnSecurity (@SwiftOnSecurity) October 2, 2019
Untrusted Microsoft Query files can also be blocked manually
The three GPOs can be
Support the originator by clicking the read the rest link below.
