Microsoft Office DDE Attack Launches Malware, No Macros Required
Attackers prove there's more than one way to infect victims with Microsoft Office documents. See how the new technique works and learn how Barkly blocks it.
Tricking users into opening booby-trapped Microsoft Office documents is one of the most popular ways for attackers to deliver malware, but up till now the approach has primarily relied on getting those users to enable macros.
That may be about to change, however, with researchers at SensePost pointing out there is another legitimate Office feature that attackers are abusing to run malicious code.
The feature, called Microsoft Dynamic Data Exchange (DDE), allows Office programs to load data from other Office programs (ex: a user can use DDE to ensure a table in a Word doc gets automatically updated with data from an Excel file). The problem is attackers can abuse DDE, so that instead of loading data from other Office programs, it opens a command prompt.
How Microsoft Office DDE attacks work
The beauty and danger of DDE attacks is in their simplicity. All attackers have to do is insert a custom field into a document with simple instructions to launch code to the command line.
No macros, but the attack does still require user interaction
The good news is that when a user opens a document with DDE fields they will receive a warning notifying them that the document contains links that may refer to other files. The user then has to confirm that they do want to update the document with data from the linked files to continue.
After selecting "Yes," under normal circumstances the user is presented with a second prompt explaining that there is an error and asking them to confirm they want to start cmd.exe.
Unfortunately, this second prompt can reportedly be edited or even disabled by attackers, making it even easier for the attack to slip by.
To show what the attack actually looks like in action, we created a Word doc disguised as a "Weekly Revenue Report" with custom DDE field code instructing it to launch calc.exe.
As an example of how attackers can premptively address the warnings, we also included a note in the document informing the user they would need to select "yes" twice when prompted so the document could load properly.
Here's what the resulting attack looked like:
In this example, we simply launched calc.exe, but in a real scenario attackers can use this technique to run any variety of malicious code, or launch a legitimate program like powershell.exe to give them more attack functionality.
Stay on top of the latest threats. Get security alerts like this one sent straight to your inbox.
DDE is actually an older feature that has since been superseded by Microsoft's Object Linking and Embedding (OLE) toolkit, but it continues to be supported by all Office programs.
What makes DDE especially problematic from a security perspective is that, like OLE and macros, Microsoft considers it a legitimate feature that attackers have unfortunately found a creative way of abusing. As far as Microsoft is concerned, DDE works as it should and users do get a warning. As such, the company has no plans of issuing a patch that would remove its functionality.
In addition, because they are considered legitimate, most antivirus solutions do not flag or block Office documents with DDE fields.
All that means DDE attacks are likely here to stay, at least for the immediate future.
What to do now
As always, users should be reminded to be suspicious of Office files they receive in unexpected emails, and they should be alerted to be especiously wary of the two warning prompts mentioned above.
In addition, if feasible for your organization, disabling the "update automatic links at open" option in Office programs can help stop this attack:
Barkly automatically blocks this threat and others like it by preventing malicious behaviors — like an Office program attempting to launch an external program.
By analyzing behaviors, rather than simply analyzing static files, Barkly can prevent the misuse of any legitimate programs or tools (macros, PowerShell, etc.), which is a tactic more and more attacks are leveraging to get around AVs.
Watch Barkly in action vs. this DDE technique below: