Microsoft DDE Works in Outlook
We have written about Advanced Persistent Threat (APT ) groups abusing Microsoft’s Dynamic data Exchange (DDE) feature through malicious attachments, for example in Word and Excel files but without the use of macros. This attack vector has now been expanded to include Outlook using emails and calendar invites.
In the original attack users had to be socially engineered into opening malicious attachments. By putting the payloads into the email message body itself or directly into calendar invites, the likelihood of a recipient falling victim to the attack is increased greatly as the emails or invites only have to be opened for a payload to be executed.
Attachments, emails and calendar invites pop up two giveaway warning dialogues before executing a DDEAUTO attack; if you ‘No’ to either dialogue then the attack is prevented. If you click ‘Yes’ to the first, you will see another dialogue warning that a command is about to be run. Clicking ‘Yes’ will run the command. Currently there is no known mechanism to bypass these dialog boxes.
Affected Platforms
Microsoft Outlook
Remediation
Mitigation:
- Consider disabling DDE.
- DDE attacks embedded within emails directly can be neutered by viewing messages in plain text, including messages that are sent as HTML. Although this change will make some emails harder to read where colours and styling has been used.
- Ensure that users are taking the time to check dialogue boxes before clicking ‘Yes’.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.