Microsoft DDE Works in Outlook Too

CareCERT has previously written about Advanced Persistent Threat (APT ) groups abusing Microsoft's Dynamic Data Exchange (DDE) feature through malicious attachments

Threat ID:: CC-1719
Category:: Exploit
Threat Severity:: Medium
Threat Vector:: Email spam
Published:: 23 October 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

CareCERT has previously written about Advanced Persistent Threat (APT ) groups abusing Microsoft's Dynamic Data Exchange (DDE) feature through malicious attachments

Threat details

For example in Word and Excel files but without the use of macros in article CC-1707. This attack vector has now been expanded to include Outlook using emails and calendar invites.

In the original attack users had to be socially engineered into opening malicious attachments. By putting the payloads into the email message body itself or directly into calendar invites, the likelihood of a recipient falling victim to the attack is increased greatly as the emails or invites only have to be opened for a payload to be executed.

Attachments, emails and calendar invites pop up two giveaway warning dialogues before executing a DDEAUTO attack; if you 'No' to either dialogue then the attack is prevented. If you click 'Yes' to the first, you will see another dialogue warning that a command is about to be run. Clicking 'Yes' will run the command. Currently there is no known mechanism to bypass these dialog boxes.

Threat updates

Date	Update
10 Nov 2017	Microsoft has released an advisory that provides information and guidance on securing or disabling DDE fields in Microsoft Office applications.

Remediation advice

Mitigation:

Remediation steps

Type	Step
	Consider disabling DDE. DDE attacks embedded within emails directly can be neutered by viewing messages in plain text, including messages that are sent as HTML. Although this change will make some emails harder to read where colours and styling has been used. Ensure that users are taking the time to check dialogue boxes before clicking 'Yes'. Users and administrators are encouraged to review Microsoft Security Advisory 4053440

Type

Step

Consider disabling DDE.
DDE attacks embedded within emails directly can be neutered by viewing messages in plain text, including messages that are sent as HTML. Although this change will make some emails harder to read where colours and styling has been used.
Ensure that users are taking the time to check dialogue boxes before clicking 'Yes'.
Users and administrators are encouraged to review Microsoft Security Advisory 4053440

Last edited: 17 February 2020 11:34 am