Skip to content

Microsoft Excel

Validate Microsoft Excel behaviors under the Secure Sandbox.

Objectives

  • Enforce network controls for external data connections and links.
  • Verify file system isolation for Open/Save operations.
  • Prevent data exfiltration via clipboard, drag-drop, and printing.
  • Ensure Protected View does not conflict with Turbo isolation.
  • Verify macro/VBA execution isolation.

Preconditions

  • Windows target with Turbo Launcher and Secure Sandbox.
  • Microsoft Excel installed.

Controls Under Test

  • runtime.networking.egressDefaultAction.
  • runtime.files.contexts and isolation overlays.
  • runtime.dataMotion.rules[] with channel: "clipboard"|"dragDrop"|"screenCapture".
  • device.type: "printer" controls.
  • Process isolation settings (macros).

Test Scenarios

IDCanonical IDScenarioProcedureExpected Outcome
SCEN-APP-MICROSOFT-EXCEL-01NET-EGRESS-01External Data ConnectionData > Get Data > From Web.Connection blocked by proxy if not allowlisted.
SCEN-APP-MICROSOFT-EXCEL-02HARD-HOST-03Protected ViewOpen a downloaded file (Zone.Identifier present).App opens in Protected View (if configured); Turbo isolation still holds.
SCEN-APP-MICROSOFT-EXCEL-03HARD-FILES-01Save to HostAttempt Save As to Host Desktop.Writes restricted to overlay or allowed Storage Contexts.
SCEN-APP-MICROSOFT-EXCEL-04HARD-PROCESS-04Macro ExecutionOpen xlsm with macros; enable content.Macros run within sandbox; cannot spawn processes outside sandbox.
SCEN-APP-MICROSOFT-EXCEL-05DM-CLIP-01Clipboard OutboundCopy cells; paste to host.Denied/processed per policy.
SCEN-APP-MICROSOFT-EXCEL-06DM-DRAG-01Drag-Drop OutboundDrag file/cells to host.Blocked per policy.
SCEN-APP-MICROSOFT-EXCEL-07DM-DEVICE-01Print RestrictionFile > Print.Restricted to virtual/allowed printers.
SCEN-APP-MICROSOFT-EXCEL-08NET-EGRESS-01WEBSERVICE functionEnter =WEBSERVICE("https://example.com") in a cell.Denied; audit network with proxyEnforced: true.
SCEN-APP-MICROSOFT-EXCEL-09NET-EGRESS-01Stocks/Currencies data typesConvert tickers to Stocks/Currencies data types.Denied; no data retrieved; audit network event.
SCEN-APP-MICROSOFT-EXCEL-10NET-EGRESS-01External links over HTTP(S)Open a workbook with external links to URLs; allow “Update links”.Denied; link refresh fails; audit shows outbound attempt.
SCEN-APP-MICROSOFT-EXCEL-11NET-EGRESS-01External links via UNC/SMBLink to \\server\\share\\file.xlsx; update links on open.Denied; SMB egress blocked; audit shows deny.
SCEN-APP-MICROSOFT-EXCEL-12NET-EGRESS-01Power Query (Web/OData/SharePoint)Data > Get Data > From Web/OData/SharePoint; Refresh.Denied; requests fail-closed; proxy enforced.
SCEN-APP-MICROSOFT-EXCEL-13NET-EGRESS-01Publish to Power BIFile > Publish to Power BI.Denied unless explicitly allowlisted; audit shows deny.
SCEN-APP-MICROSOFT-EXCEL-14NET-EGRESS-01Office Add-ins StoreInsert > Get Add-ins; search and install a free add-in.Requests traverse enforced proxy; denied if store not allowlisted.
SCEN-APP-MICROSOFT-EXCEL-15HARD-PROCESS-04DDEAUTO to shellCreate a DDE field that launches cmd.exe or powershell.exe.Blocked; no process spawn.
SCEN-APP-MICROSOFT-EXCEL-16HARD-PROCESS-04XLM macro SHELL()Use Excel 4.0 macro sheet with =SHELL("cmd /c whoami").Blocked; no process spawn.
SCEN-APP-MICROSOFT-EXCEL-17HARD-PROCESS-04VBA network exfilMacro using MSXML2.XMLHTTP or WinHttp.WinHttpRequest.5.1 to POST cell data.Denied at egress boundary; audit network deny; no spawned child processes.
SCEN-APP-MICROSOFT-EXCEL-18DM-DRAG-01OLE package extraction via dragInsert Object > Package a file; drag the embedded object to Host Desktop.Blocked per policy.
SCEN-APP-MICROSOFT-EXCEL-19HARD-FILES-01OLE package Save As to hostOpen embedded package > File > Save As to host path.Denied or virtualized to overlay/context.
SCEN-APP-MICROSOFT-EXCEL-20DM-CLIP-01Large clipboard (cells → CSV)Copy a large range (≥100k cells) and paste on host.Denied/processed per policy (size/format caps).
SCEN-APP-MICROSOFT-EXCEL-21DM-CLIP-01Clipboard image (chart/picture)Copy a chart as picture; paste on host.Denied/processed per policy.
SCEN-APP-MICROSOFT-EXCEL-22DM-SCREEN-01Insert Screenshot (host window)Insert > Screenshot; select an external app window.Block/obfuscate or watermark per policy; audit screenCapture.
SCEN-APP-MICROSOFT-EXCEL-23DM-DEVICE-01Print to PDF/XPSFile > Print > Microsoft Print to PDF/XPS; save to Host Desktop.Writes restricted to overlay/context; device audit present.
SCEN-APP-MICROSOFT-EXCEL-24NET-EGRESS-09Proxy fail-closed during refreshTake proxy down; Refresh All (Data tab).Denied; reason: "proxyUnavailable"; no direct fallback.
SCEN-APP-MICROSOFT-EXCEL-25NET-EGRESS-10Proxy identity/pinningIntercept proxy TLS with wrong CA; refresh connection.Denied; `reason: "certMismatch"
SCEN-APP-MICROSOFT-EXCEL-26NET-EGRESS-11IPv6 direct egressUse WEBSERVICE with an IPv6 literal URL.Denied; ipVersion: 6, action: deny.

Evidence Requirements

  • network events: protocol/alpn, destination/sni (when applicable), ipVersion, action, outcome, proxyEnforced, and reason (for example, unauthorizedProxy, proxyUnavailable, certMismatch, pinningFailed).
  • fileOp events: write attempts to host paths; include path, action/outcome (deny/virtualized), and context identifiers.
  • dataMotion events: channel (clipboard|dragDrop|screenCapture), direction (for clipboard), action, outcome, rule.id, priority.
  • device events: print attempts, virtual printer usage.
  • process events: child process creation attempts (for example, from DDE/XLM/VBA), including process image and outcome.

Troubleshooting

  • Protected View may suppress some actions until you select Enable Editing/Enable Content; perform tests after enabling when required by the scenario.
  • Some enterprise builds hide cloud features (Power BI/SharePoint/OneDrive) via policy. When hidden, mark those as not applicable and focus on analogous external data connection flows.
  • Add-ins can vary; test a representative free add-in to exercise marketplace/proxy enforcement.

Known Limitations & Negative Space

  • Optical capture (camera/phone) is out of scope.
  • If Excel is federated with enterprise sign-in, authentication prompts might appear but network egress should still fail-closed without allowlisting.
  • SMB/UNC scenarios model outbound access; internal, policy-mapped Storage Contexts remain in scope and may be allowed by configuration.