Move over macros, Office DDE exploits arrive!
Office macros have been the primary choice of attacks by malicious actors for years. IT administrators and users have learned to be cautious before running macros. The Dynamic Data Exchange (DDE) protocol has been around much longer but hadn’t been used for attacks. It’s a communication protocol that allows programs to share data with each other.
In 2016, Sensepost researchers authored an article describing how DDE exploits may be used with Microsoft Excel formulas. It allows specially crafted formulas to run applications on the machine and return data from web requests. Unlike macros, the formulas don’t currently execute with an option to display a security warning to the user. Excel isn’t the only application that offers these formulas, Word includes the option as well. Macros, OLE objects, and RTF exploits have been the main attack Office vectors, however, we expect DDE will gain traction since it is lesser known.