MS Office DDE Command Execution Attacks

Researchers of SensePost published an interesting and slick way to execute code on a target computer using Microsoft Office – but without the macros or memory corruptions. This technique has recently been publicized following a Microsoft decision that this functionality is a feature by design and will not be removed. The technique relies on dynamic data exchange, or DDE , an older technology once used for coding and automation within Microsoft Office applications.

It works even with macros disabled because it’s not using the macros. There is not any  “security” warning for the user. There is only a prompt asking if the user wants to start the application specified in the command which looks very innocent popup.

Although the attack technique has been published 2 days ago, we are now seeing it actively being used by attackers in the wild.

TRAPMINE is able to prevent the execution of payload without needing any prior knowledge;