If anyone actually has bona fide Excel.exe installed, you could try opening this file to double check that we're not currently vulnerable:

If that runs calc.exe or prompts you to "update cells" (this is Excel's special way of saying "execute arbitrary untrusted code") this isn't limited to .csv.

Checked on Excel 2016 and it didn't run calc.exe or prompt for "update cells". Also checked on Excel for mac~

Good to hear, thanks!

Saving this file as csv also doesn't trigger the bug in Excel 2016 - on reopening, Excel misdetects the format as SYLK, warns about the extension not matching, then warns that an error occured during loading, and finally when you agree to continue loading as "a different format", it opens without running calc.exe or prompting to update cells.

It seems an up to date patched Excel 2016 is not vulnerable.

After finding https://support.microsoft.com/en-gb/help/323626/-sylk-file-format-is-not-valid-error-message-when-you-open-file and changing the first cell contents to Task ID instead of ID, the csv file is still opened without calc.exe or cell updating.

Actually, Excel 2016 is vulnerable. The test case is incomplete. The cell needs to be =cmd|'/C evil.exe'!A0 to trigger the issue.
By modifying the value in both the xlsx and csv files, I was able to blindly click yes on lots of warning prompts and start calc.exe. But I am not sure that modifying the value in the xlsx file is giving the same result as the export would (something may have been stripped off in the meantime...)

Here's a version with =cmd|'/C evil.exe'!A0 if that produces different results:

It doesn't try to run evil.exe until I edit the cell (the csv version, and the modified xlsx I saved myself try to start on opening).

This is relevant now that work related to T13049 has added CSV support.

I guess I'll just mangle the data. ¯\_(ツ)_/¯