top of page

Microsoft Outlook and Word DDE Attacks

In the last two weeks, Sophos researchers have kept an eye on a vulnerability in Microsoft’s Dynamic Data Exchange (DDE) protocol used to send messages and share data between applications.

On Friday, independent reports surfaced showing that it’s possible to run DDE attacks in Outlook using emails and calendar invites formatted using Microsoft Outlook Rich Text Format (RTF), not just by sending Office files attached to emails.

In the original attack users had to be coaxed into opening malicious attachments. By putting the code into the email message body itself, the attack comes one step closer, meaning that the social engineering needed to talk a recipient into falling for it becomes easier.

The good news is that whether a DDE attack comes via an attachment or directly in an email or a calendar invite, you can stop the attack easily. Attachments, emails and calendar invites pop up two give way warning dialogs before triggering a DDEAUTO attack; if you say “No” at either dialog then you prevent the attack. (SophosLabs is not yet aware of any mechanism to bypass these dialog boxes.)

You can also neuter DDE attacks embedded directly in emails by viewing all your messages in plain text format, regardless of the format they were sent in; however, this will disable all formatting, colors and images in all messages, including those sent in the popular HTML email format. This will make some messages harder to read and may prevent you from seeing content.

Microsoft Word and Outlook DDE Abuse Tactics Leveraged in Locky, Trickbot, and Pony Malware Campaigns:

  • Following public disclosure potential abuse of Dynamic Data Exchange content in Office, phishing threat actors have begun to weaponize this technique.

  • Early weaponization delivered the DELoader botnet malware, but more recent usage has delivered Locky, TrickBot, and Pony also.

  • This escalating usage indicates the utility of this abusive technique for threat actors and the severity of the hazard DDE abuse provides.

Read full article at link below:

bottom of page