Microsoft Office documents that include malicious macros are commonly used to distribute malware and ransomware. However, security experts have now identified Microsoft Office attacks without macros, and the technique is more difficult to block.
While you can turn off macros so they do not run automatically, and even turn off macros completely, that will not safeguard you from this new attack method, which uses a feature of MS Office called Dynamic Data Exchange or DDE, according to security experts at SensePost. This in-built feature of Windows permits two applications to use the same data, for example MS Word and MS Excel. DDE allows a one- time exchange of data between two applications or continuous sharing of data.
hackers can use this feature of MS Office to obtain a document to execute an application without the use of macros as part of a multi-stage attack on the target. Different to macros which flash a security warning before being allowed to operate, this attack method does not give the user with a security warning as such.
Opening the MS Office file will show the user with a message saying “This document contains links that may refer to other files. Do you want to open this document with the data from the linked files?” Users who normally use files that use the DDE protocol may automatically click on yes.
Another dialog box is then shown asking the user to confirm that they wish to execute the file mentioned in the command, but the researchers explain that it is possible to suppress that warning.
This technique has already been implemented by at least one group of hackers in spear phishing campaigns, with the emails and documents seemingly having been sent from the Securities and Exchange Commission (SEC). In this instance, the hackers were using the technique to infect users with DNSMessenger fileless malware.
Unlike macros, turning off DDE is problematic. While it is possible to review for these types of attacks, the best security is blocking the emails that send these malicious messages using a spam filter, and to train staff to be more security conscious and to verify the source of the email before clicking on any attachments.
