In cybersecurity governance and compliance processes, data export is a daily routine. Whether providing a consolidated incident report for an NIS 2 audit, extracting the list of non-compliant machines for management, or generating monthly billing history for an MSSP client, the formatCSV (Comma-Separated Values)is the absolute industry standard. It is a simple, universal format and easily readable by software like Microsoft Excel or Google Sheets.
However, this simplicity hides a sneaky software vulnerability that is too often ignored by security teams:CSV injection (or Formula Injection). An attacker can manipulate the data from his attack to trap the export file and take control of the computer of the administrator or accountant who will open the document. Let's decipher how this flaw works and the surgical method to protect against it.
The Formula Injection Mechanism (The Spreadsheet Attack)
How does a CSV injection work? The attack does not target the SaaS server which generates the file, but the client application (the Excel spreadsheet) which will interpret it.
Microsoft Excel and modern spreadsheets have a native feature: if a text cell begins with a mathematical symbol like=(equal),+(more),-(less) or@(at), the software does not display the raw text, it interprets it as andynamic formula.
A malicious attacker who knows that your SOC teams regularly export incident history will voluntarily rename their compromised device or inject a specific character string into its payload.
For example, it will configure its machine name or suspicious command line to be titled:
=CMD|'/c calc.exe'!A1
The infection scenario
- Microsoft Defender detects the alert on the machine with this malicious name and forwards it to the SOC orchestrator.
- At the end of the month, the system administrator or MSSP goes to the Akuity SOC settings page and clicks"Generate a CSV archive"to extract the complete ticket history.
- The application generates the file cleanly and sends it by email or direct download.
- The administrator (or the accounting department for billing of consumed incidents) opens the file in Microsoft Excel.
- Excel encounters cell starting with
=. It interprets the dynamic commandCMD, runs the Windows Data Exchange Protocol (DDE), and launches the command prompt to execute malicious code (in this basic example, opening the calculatorcalc.exe). The hacker has just hacked the security administrator's computer.
Akuity's response: Automatic sanitization of exports
Faced with this critical risk that directly threatens business accountability and trust, an enterprise-grade cybersecurity platform cannot simply blame Microsoft Excel's weaknesses. It must apply strict data cleaning (Sanitization) before generating the file.
This is the defensive architecture implemented within the export parameter management module.Akuity SOC.
The security apostrophe rule
When you trigger the generation of a CSV archive (or a consolidated billing report reserved for Super-Administrators), the platform's backend engine reviews each text cell before writing it to the export file.
If a piece of data (whether it's a username, a ticket title, or an IOC description) begins with one of the four formula-triggering characters (=,+,-,@), the system instantly applies a security modifier:it prefixes the cell with a single apostrophe (').