A new unpatched attack method has surfaced that exploits a built-in feature of Microsoft Office.
Attackers leverage an old Microsoft Office feature called Dynamic Data Exchange (DDE) which allows the attacker to perform malicious code execution on the targeted device with no macros required.
DDE is one of the ways that Microsoft allows two running applications to share data. The protocol is used by thousands of apps for one-time data transfers and continuous exchange for sending updates to one another. The technique does not display any security warnings except asking if they want to execute the application that is specified in the command. However, the pop-up could be eliminated with proper syntax modification.
Attackers have been seen using Necurs Botnet to distribute Locky ransomware and TrickBot banking Trojan using Word documents that leverage the DDE attack technique. DDE is a legitimate Microsoft feature which means most antivirus solutions will not flag any warnings or block MS Office documents with DDE fields.
Users are recommended to disable the “update automatic links at open” option in MS Office programs.