A security advisory published by Microsoft on Wednesday provides information on how users can protect themselves against recent attacks abusing the Dynamic Data Exchange (DDE) protocol.
DDE is designed for data exchanges between Office and other Windows applications. Researchers warned recently that the way DDE fields are processed could be abused by hackers to create documents that load malicious resources from an external server. The technique can be used as a substitute for macros in attacks involving documents.
DDE has been abused in attacks by various types of threat actors, including by cybercriminals who are trying to make a profit using the Locky ransomware and Russia-linked cyberspies known for targeting high-profile organizations.
While at some point it may release an update that would prevent DDE attacks, Microsoft highlighted that DDE is a legitimate feature and there already are several protections and mitigations in place.
The company pointed out that for an attack to work, victims need to be convinced to disable Protected Mode and click through some prompts referencing linked files and remote data.
Additionally, Microsoft said Office users can enable specific registry keys that improve security, including a key that disables automatic data updates from linked fields.
The tech giant has provided detailed information on how automatic link updates can be disabled in Excel, Outlook, Publisher and Word by setting specific registry keys. However, disabling the feature could impact legitimate functionality that leverages DDE and users might need to manually update fields.
In the case of Windows 10 Fall Creators Update, users are protected against DDE attacks by the Attack Surface Reduction (ASR) mitigation included in Windows Defender Exploit Guard.
Since malicious documents exploiting DDE are typically delivered via email, Microsoft has advised users to act with caution when opening suspicious attachments.
The latest report on DDE attacks comes from McAfee and it describes a campaign launched by the Russia-linked cyber espionage group tracked as APT28 and Fancy Bear. The attackers used documents referencing the recent terrorist attack in New York and the Saber Guardian military exercise to deliver reconnaissance malware.
Related: Microsoft Patches Office Zero-Day Used to Deliver Malware
Related: Microsoft Patches Windows Flaws Exploited in Attacks
Related: .NET Zero-Day Flaw Exploited to Deliver FinFisher Spyware
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
- Cybersecurity M&A Roundup: 36 Deals Announced in May 2023
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
Latest News
- What if the Current AI Hype Is a Dead End?
- Microsoft Makes SMB Signing Default Requirement in Windows 11 to Boost Security
- Zyxel Urges Customers to Patch Firewalls Against Exploited Vulnerabilities
- Gigabyte Rolls Out BIOS Updates to Remove Backdoor From Motherboards
- SBOMs – Software Supply Chain Security’s Future or Fantasy?
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
- Cybersecurity M&A Roundup: 36 Deals Announced in May 2023
- Insider Q&A: Artificial Intelligence and Cybersecurity In Military Tech
