My colleagues over at the Mimecast Threat Center have found and developed a technique that uses Power Query in Excel to dynamically launch a remote Dynamic Data Exchange (DDE) attack into an Excel spreadsheet and actively control the payload Power Query.
Mimecast worked with Microsoft as part of the Coordinated Vulnerability Disclosure (CVD) process to determine if this is an intended behavior for Power Query, or if it was an issue to be addressed. While they declined to issue a fix at this time, Microsoft published an advisory (4053440) that indicates steps and procedures to provide information regarding security settings for Microsoft Office applications. The advisory provides guidance on what users can do to ensure that these applications are properly secured when processing Dynamic Data Exchange fields.
Note that if you are a Targeted Threat Protection user, you are protected from the use of this technique already.
You can check out the full story from my colleague Ofir Shlomo of Mimecast Threat Center over at the Mimecast blog, which details in depth a potential exploit using Power Query to launch a DDE exploit.