Based on further research of the new Python In Excel feature, a hunting query was created to detect modifications of the mentioned registry key to the value 0. This will allow Python code to be executed by Excel without any warning or permission from the user. We suggest using the following query to monitor such cases and mitigate potential risks in the future.
While this feature has great potential, we expect that threat actors will utilize the capability to execute malicious Python code in order to deploy malware or steal sensitive data from the impacted device. To mitigate this threat we highly suggest modifying the relevant registry keys as suggested by Microsoft using one of the following commands (https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327):
1. Warning - Enable a warning prompt when opening an Excel file that contains Python code: reg add HKCU\software\policies\microsoft\office\16.0\excel\security /v PythonFunctionWarnings /t REG_DWORD /d 1 /f 2. Block - Block Python code from being executed in Excel files: reg add HKCU\software\policies\microsoft\office\16.0\excel\security /v PythonFunctionWarnings /t REG_DWORD /d 2 /f
The team will conduct a more in-depth exploration and will update with relevant information.