Connect with us

Hi, what are you looking for?


Application Security

Microsoft Issues Advisory for Mitigating DDE Attacks

A security advisory published by Microsoft on Wednesday provides information on how users can protect themselves against recent attacks abusing the Dynamic Data Exchange (DDE) protocol.

A security advisory published by Microsoft on Wednesday provides information on how users can protect themselves against recent attacks abusing the Dynamic Data Exchange (DDE) protocol.

DDE is designed for data exchanges between Office and other Windows applications. Researchers warned recently that the way DDE fields are processed could be abused by hackers to create documents that load malicious resources from an external server. The technique can be used as a substitute for macros in attacks involving documents.

DDE has been abused in attacks by various types of threat actors, including by cybercriminals who are trying to make a profit using the Locky ransomware and Russia-linked cyberspies known for targeting high-profile organizations.

While at some point it may release an update that would prevent DDE attacks, Microsoft highlighted that DDE is a legitimate feature and there already are several protections and mitigations in place.

The company pointed out that for an attack to work, victims need to be convinced to disable Protected Mode and click through some prompts referencing linked files and remote data.

Additionally, Microsoft said Office users can enable specific registry keys that improve security, including a key that disables automatic data updates from linked fields.

The tech giant has provided detailed information on how automatic link updates can be disabled in Excel, Outlook, Publisher and Word by setting specific registry keys. However, disabling the feature could impact legitimate functionality that leverages DDE and users might need to manually update fields.

Advertisement. Scroll to continue reading.

In the case of Windows 10 Fall Creators Update, users are protected against DDE attacks by the Attack Surface Reduction (ASR) mitigation included in Windows Defender Exploit Guard.

Since malicious documents exploiting DDE are typically delivered via email, Microsoft has advised users to act with caution when opening suspicious attachments.

The latest report on DDE attacks comes from McAfee and it describes a campaign launched by the Russia-linked cyber espionage group tracked as APT28 and Fancy Bear. The attackers used documents referencing the recent terrorist attack in New York and the Saber Guardian military exercise to deliver reconnaissance malware.

Related: Microsoft Patches Office Zero-Day Used to Deliver Malware

Related: Microsoft Patches Windows Flaws Exploited in Attacks

Related: .NET Zero-Day Flaw Exploited to Deliver FinFisher Spyware

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...