Cybercriminals Leveraging Dynamic Data Exchange Protocol

December 5, 2017

The DDE protocol allows for messages to be sent between Microsoft applications and uses the shared data to be sent between applications.

On November 8th, Microsoft issued Security Advisory 4053440, which provided guidance and information on securing Microsoft applications when processing Dynamic Data Exchange (DDE) fields. The DDE protocol allows for messages to be sent between Microsoft applications and uses the shared data to be sent between applications. Visa mentions that the malicious cyber actor could utilize the DDE protocol for delivering specially crafted files to users through phishing and web-based downloads. It strongly recommends that uses exercise extremely caution when opening suspicious files.

Visa Payment Systems Intelligence is aware of multiple cybercriminal threats to the payments ecosystem currently leveraging DDE protocol in phishing schemes. The primary cybercriminal method of exploitation starts with a phishing e-mail and relies on the DDE protocol for point of infection, as opposed to malicious macros or an exploit kit. Visa is issuing this alert to bring about awareness of the cyber threats actively exploiting this Microsoft Windows feature. In their advisory warning, Microsoft provides controls and mitigations regarding the DDE protocol.

More About the DDE Protocol

According to Microsoft, Microsoft Office provides several methods for transferring data back and forth between applications. The DDE protocol is a set of messages and guidelines. It sends messages between applications that share data, and then uses shared memory to exchange data between applications. Applications can use the DDE protocol for one-time data transfers and for continuous exchanges in which applications send updates to one another as new data becomes available.

Microsoft Security Alert and Attack Scenario

Microsoft offers information on security settings for Microsoft Office applications and guidance on what users can do to secure Microsoft applications when processing DDE fields. Microsoft Office applications include the DDE feature that allows one Microsoft document to access data from another document. This functionality is very useful however, the document field that requests data can be altered to include the execution of arbitrary commands, including commands that can download and execute malicious payload.

The advisory portrays the general attack scenario in which an attacker could use the DDE protocol to send a specially crafted file to the user and then convince the user to open that file. Through this process, the attack would have to convince the targeted user to disable the Protected Mode and click through one or more additional prompts. Phishing seems to be the primary attack method being used by malicious actors to target victims, which is why Microsoft strongly advises that customers exercise extreme caution when opening suspicious file attachments.

Microsoft Security Guidance

Microsoft strongly encourages that all Microsoft Office uses review the security-related feature control keys and to enable them. On top of that, Microsoft provides further information, details, and warnings regarding the various steps that users can take to protect themselves. For more information, please refer to the Microsoft Security Advisory. Additional Microsoft discussion on utilizing DDE can be found here.

Best Practices

1. Education all employees on how to avoid phishing scams and how to safely open emails that have attachments.
2. Turn on heuristics (behavioral analysis) on anti-malware to search for suspicious behavior.
3. Refer to these external resources: Microsoft Security Advisory 4053440, Microsoft Office 2016: Secure and Control Access to Office, and Microsoft Office 2013: Secure Office 2013.
4. Refer to Visa’s What to do if Compromise (WTDIC) document

To report a data breach, contact Visa Fraud Control:

For more information, please contact:
A majority of this information is directly attributed to this Visa Security Alert: Cybercriminals Leveraging Dynamic Data Exchange Protocol

Back To Blog