Office logo

Malware authors don't necessarily need to trick users to enable macros to run malicious code. An alternative technique exists, one that takes advantage of another legitimate Office feature.

This feature is called Microsoft Dynamic Data Exchange (DDE) and allows an Office application to load data from other Office applications. For example, a Word file can update a table by pulling data from an Excel file every time the Word file is opened.

DDE is an old feature, which Microsoft has superseded via the newer Object Linking and Embedding (OLE) toolkit, but DDE is still supported by Office applications.

How the DDE attack works

Under the hood, DDE is nothing more than a custom field that users can insert into documents. These fields allow users to enter simple instructions with the location of where to pull data, and what data to inject into the new document.

The problem is that malware authors can create malicious Word files with DDE fields that instead of opening another Office app, open a command prompt and run malicious code.

Under normal circumstances, Office apps show two warnings. The first is a warning about the document containing links to other files, while the second is for an error about opening a remote command prompt.

DDE attack Office prompts

According to two security researchers from SensePost, the second popup can be suppressed, limiting the warnings to only the first.

This greatly increases the DDE attack's usability. Users who work with DDE-linked files on a regular basis are predisposed to dismiss the popup, mostly by training, because they performed the action so many times before.

Microsoft: This is not a vulnerability

SensePost contacted Microsoft earlier in the year, but the company did not consider this a vulnerability, in the true sense of the word.

The reason why Microsoft does not consider DDE attacks to be security issues is that Office shows warnings before opening the files.

This is just another case where malware authors have found a creative way of abusing a legitimate feature, like with OLE and macros, for which Microsoft also warns users before running.

Security experts like Dr. Vesselin Bontchev agree with Microsoft's decision on the DDE attack categorization.

DDE attacks used in the wild by FIN7 group

This type of attack existed since the early 90s, when DDE was introduced, but recently came back into the public's eye in March 2017 when a security researcher going by the name of PwnDizzle published a report on the ways malware authors could use Office documents to deliver payloads. The report included macros, OLE objects, ActiveX components, PowerPoint actions, but also DDE fields.

The DDE technique recently became a hot topic in the infosec community after SensePost published a detailed tutorial on how to carry out a DDE attack.

Security experts reacted. David Longenecker published a tutorial on how to detect past DDE attacks via the Windows Event Logs.

Didier Stevens published a set of YARA rules that fellow malware hunters could use to identify Office documents making use of DDE attacks. Currently, most antivirus vendors do not flag Office documents with DDE fields as suspicious or malicious.

Kevin Beaumont discovered the technique being used in live attacks by FIN7, a group of hackers specialized in hitting financial organizations [1, 2, 3]. Cisco Talos published a more detailed analysis of these attacks, carried out by the same group who previously developed the DNSMessenger malware.

For the time being, users should be wary of opening Office files with DDE links if they received the documents via email from unknown persons. If they received the file from a known sender, because email spoofing is so prevalent, users should double-check with the sender and make sure they really sent the file.

Image credits: SensePost