I've run into a few mentions of this recently, so here are some notes on it to unambiguously make it previously-known.
If you put =cmd|'evil.exe' in a .csv file and then open it in Excel, it will apparently just run that command. Like, it kinda asks you, but every user will just click "Yes" because users like it when things work and this behavior is crazy.
In the future, Phabricator will be able to generate these files if a task title or description or whatever has =cmd|'evil.exe' at the beginning. Although we currently export only in .xls which I think escapes the fields as "text" (that is, not a formula), we're likely to export in .csv eventually (e.g., T5954). There is apparently (?) no real way to escape fields without mangling the data since Excel is very eager to run arbitrary commands it finds in .csv files.
Excel's behavior seems absurd here, but, e.g., this report is two years old: https://hackerone.com/reports/72785 so it probably isn't going to change any time soon.
When the time comes we can probably do some kind of test + warn + require user to sign in blood + mangle stuff.