A security advisory published by Microsoft on Wednesday provides information on how users can protect themselves against recent attacks abusing the Dynamic Data Exchange (DDE) protocol.
DDE is designed for data exchanges between Office and other Windows applications. Researchers warned recently that the way DDE fields are processed could be abused by hackers to create documents that load malicious resources from an external server. The technique can be used as a substitute for macros in attacks involving documents.
DDE has been abused in attacks by various types of threat actors, including by cybercriminals who are trying to make a profit using the Locky ransomware and Russia-linked cyberspies known for targeting high-profile organizations.
While at some point it may release an update that would prevent DDE attacks, Microsoft highlighted that DDE is a legitimate feature and there already are several protections and mitigations in place.
The company pointed out that for an attack to work, victims need to be convinced to disable Protected Mode and click through some prompts referencing linked files and remote data.
Additionally, Microsoft said Office users can enable specific registry keys that improve security, including a key that disables automatic data updates from linked fields.
The tech giant has provided detailed information on how automatic link updates can be disabled in Excel, Outlook, Publisher and Word by setting specific registry keys. However, disabling the feature could impact legitimate functionality that leverages DDE and users might need to manually update fields.
In the case of Windows 10 Fall Creators Update, users are protected against DDE attacks by the Attack Surface Reduction (ASR) mitigation included in Windows Defender Exploit Guard.
Since malicious documents exploiting DDE are typically delivered via email, Microsoft has advised users to act with caution when opening suspicious attachments.
The latest report on DDE attacks comes from McAfee and it describes a campaign launched by the Russia-linked cyber espionage group tracked as APT28 and Fancy Bear. The attackers used documents referencing the recent terrorist attack in New York and the Saber Guardian military exercise to deliver reconnaissance malware.