Appearance
Microsoft Excel
Validate Microsoft Excel behaviors under the Secure Sandbox.
Objectives
- Enforce network controls for external data connections and links.
- Verify file system isolation for Open/Save operations.
- Prevent data exfiltration via clipboard, drag-drop, and printing.
- Ensure Protected View does not conflict with Turbo isolation.
- Verify macro/VBA execution isolation.
Preconditions
- Windows target with Turbo Launcher and Secure Sandbox.
- Microsoft Excel installed.
Controls Under Test
runtime.networking.egressDefaultAction.runtime.files.contextsand isolation overlays.runtime.dataMotion.rules[]withchannel: "clipboard"|"dragDrop"|"screenCapture".device.type: "printer"controls.- Process isolation settings (macros).
Test Scenarios
| ID | Canonical ID | Scenario | Procedure | Expected Outcome |
|---|---|---|---|---|
| SCEN-APP-MICROSOFT-EXCEL-01 | NET-EGRESS-01 | External Data Connection | Data > Get Data > From Web. | Connection blocked by proxy if not allowlisted. |
| SCEN-APP-MICROSOFT-EXCEL-02 | HARD-HOST-03 | Protected View | Open a downloaded file (Zone.Identifier present). | App opens in Protected View (if configured); Turbo isolation still holds. |
| SCEN-APP-MICROSOFT-EXCEL-03 | HARD-FILES-01 | Save to Host | Attempt Save As to Host Desktop. | Writes restricted to overlay or allowed Storage Contexts. |
| SCEN-APP-MICROSOFT-EXCEL-04 | HARD-PROCESS-04 | Macro Execution | Open xlsm with macros; enable content. | Macros run within sandbox; cannot spawn processes outside sandbox. |
| SCEN-APP-MICROSOFT-EXCEL-05 | DM-CLIP-01 | Clipboard Outbound | Copy cells; paste to host. | Denied/processed per policy. |
| SCEN-APP-MICROSOFT-EXCEL-06 | DM-DRAG-01 | Drag-Drop Outbound | Drag file/cells to host. | Blocked per policy. |
| SCEN-APP-MICROSOFT-EXCEL-07 | DM-DEVICE-01 | Print Restriction | File > Print. | Restricted to virtual/allowed printers. |
| SCEN-APP-MICROSOFT-EXCEL-08 | NET-EGRESS-01 | WEBSERVICE function | Enter =WEBSERVICE("https://example.com") in a cell. | Denied; audit network with proxyEnforced: true. |
| SCEN-APP-MICROSOFT-EXCEL-09 | NET-EGRESS-01 | Stocks/Currencies data types | Convert tickers to Stocks/Currencies data types. | Denied; no data retrieved; audit network event. |
| SCEN-APP-MICROSOFT-EXCEL-10 | NET-EGRESS-01 | External links over HTTP(S) | Open a workbook with external links to URLs; allow “Update links”. | Denied; link refresh fails; audit shows outbound attempt. |
| SCEN-APP-MICROSOFT-EXCEL-11 | NET-EGRESS-01 | External links via UNC/SMB | Link to \\server\\share\\file.xlsx; update links on open. | Denied; SMB egress blocked; audit shows deny. |
| SCEN-APP-MICROSOFT-EXCEL-12 | NET-EGRESS-01 | Power Query (Web/OData/SharePoint) | Data > Get Data > From Web/OData/SharePoint; Refresh. | Denied; requests fail-closed; proxy enforced. |
| SCEN-APP-MICROSOFT-EXCEL-13 | NET-EGRESS-01 | Publish to Power BI | File > Publish to Power BI. | Denied unless explicitly allowlisted; audit shows deny. |
| SCEN-APP-MICROSOFT-EXCEL-14 | NET-EGRESS-01 | Office Add-ins Store | Insert > Get Add-ins; search and install a free add-in. | Requests traverse enforced proxy; denied if store not allowlisted. |
| SCEN-APP-MICROSOFT-EXCEL-15 | HARD-PROCESS-04 | DDEAUTO to shell | Create a DDE field that launches cmd.exe or powershell.exe. | Blocked; no process spawn. |
| SCEN-APP-MICROSOFT-EXCEL-16 | HARD-PROCESS-04 | XLM macro SHELL() | Use Excel 4.0 macro sheet with =SHELL("cmd /c whoami"). | Blocked; no process spawn. |
| SCEN-APP-MICROSOFT-EXCEL-17 | HARD-PROCESS-04 | VBA network exfil | Macro using MSXML2.XMLHTTP or WinHttp.WinHttpRequest.5.1 to POST cell data. | Denied at egress boundary; audit network deny; no spawned child processes. |
| SCEN-APP-MICROSOFT-EXCEL-18 | DM-DRAG-01 | OLE package extraction via drag | Insert Object > Package a file; drag the embedded object to Host Desktop. | Blocked per policy. |
| SCEN-APP-MICROSOFT-EXCEL-19 | HARD-FILES-01 | OLE package Save As to host | Open embedded package > File > Save As to host path. | Denied or virtualized to overlay/context. |
| SCEN-APP-MICROSOFT-EXCEL-20 | DM-CLIP-01 | Large clipboard (cells → CSV) | Copy a large range (≥100k cells) and paste on host. | Denied/processed per policy (size/format caps). |
| SCEN-APP-MICROSOFT-EXCEL-21 | DM-CLIP-01 | Clipboard image (chart/picture) | Copy a chart as picture; paste on host. | Denied/processed per policy. |
| SCEN-APP-MICROSOFT-EXCEL-22 | DM-SCREEN-01 | Insert Screenshot (host window) | Insert > Screenshot; select an external app window. | Block/obfuscate or watermark per policy; audit screenCapture. |
| SCEN-APP-MICROSOFT-EXCEL-23 | DM-DEVICE-01 | Print to PDF/XPS | File > Print > Microsoft Print to PDF/XPS; save to Host Desktop. | Writes restricted to overlay/context; device audit present. |
| SCEN-APP-MICROSOFT-EXCEL-24 | NET-EGRESS-09 | Proxy fail-closed during refresh | Take proxy down; Refresh All (Data tab). | Denied; reason: "proxyUnavailable"; no direct fallback. |
| SCEN-APP-MICROSOFT-EXCEL-25 | NET-EGRESS-10 | Proxy identity/pinning | Intercept proxy TLS with wrong CA; refresh connection. | Denied; `reason: "certMismatch" |
| SCEN-APP-MICROSOFT-EXCEL-26 | NET-EGRESS-11 | IPv6 direct egress | Use WEBSERVICE with an IPv6 literal URL. | Denied; ipVersion: 6, action: deny. |
Evidence Requirements
networkevents:protocol/alpn,destination/sni(when applicable),ipVersion,action,outcome,proxyEnforced, andreason(for example,unauthorizedProxy,proxyUnavailable,certMismatch,pinningFailed).fileOpevents: write attempts to host paths; includepath,action/outcome(deny/virtualized), and context identifiers.dataMotionevents:channel(clipboard|dragDrop|screenCapture),direction(for clipboard),action,outcome,rule.id,priority.deviceevents: print attempts, virtual printer usage.processevents: child process creation attempts (for example, from DDE/XLM/VBA), including process image and outcome.
Troubleshooting
- Protected View may suppress some actions until you select Enable Editing/Enable Content; perform tests after enabling when required by the scenario.
- Some enterprise builds hide cloud features (Power BI/SharePoint/OneDrive) via policy. When hidden, mark those as not applicable and focus on analogous external data connection flows.
- Add-ins can vary; test a representative free add-in to exercise marketplace/proxy enforcement.
Known Limitations & Negative Space
- Optical capture (camera/phone) is out of scope.
- If Excel is federated with enterprise sign-in, authentication prompts might appear but network egress should still fail-closed without allowlisting.
- SMB/UNC scenarios model outbound access; internal, policy-mapped Storage Contexts remain in scope and may be allowed by configuration.
