Totally stumbled across this by accident, but it does not look like I ma the first to find this:
http://georgemauer.net/2017/10/07/csv-injection.html
https://www.owasp.org/index.php/CSV_Excel_Macro_Injection
https://pentestmag.com/formula-injection/
https://www.contextis.com/blog/comma-separated-vulnerabilities
https://hackerone.com/reports/72785
