Windows Trick ‘Can Spread Malware Through Outlook Emails’

An as yet-unpatched Windows security hole could allow attackers to trigger the execution of malware using code built into Outlook emails, researchers have warned.

The vulnerability first surfaced earlier this month when researchers found Microsoft’s Dynamic Data Exchange (DDE), which is used to for transmitting messages and code between applications, could also allow office documents to trigger malware without the use of macros.

DDE attacks

DDE has been built into Windows since 1993, but two weeks ago Sophos said attackers had begun using the feature maliciously.

“Since its reveal this week, many attackers are leveraging the trick to deploy remote-access Trojans (RATs),” wrote Sophos researcher Mark Loman in an advisory.

The computer security firm said DDE was being exploited via attachments such as Word or Excel files.

Such attachments are commonly used to spread malware using malicious macros, but the use of DDE means the malware could run even if users have macros disabled.

Credit: Sophos

Microsoft said it considers DDE a legitimate feature, and as such it isn’t clear whether the company plans to issue a patch, according to Sophos.

Over the weekend the firm reported it may also be possible ot trigger DDE malware in Outlook via emails or calendar invites formatted with Microsoft Outlook Rich Text Format.

No attachment needed

Doing so means the exploit runs without the user having to open an attachment, Sophos said.

“By putting the code into the email message body itself, the attack comes one step closer, meaning that the social engineering needed to talk a recipient into falling for it becomes easier,” the firm said in a second advisory on Sunday.

The attack isn’t fully automated, however, and still requires tricking users into clicking “Yes” on two successive dialogue boxes. Sophos said it isn’t yet aware of any means of bypassing the dialogue boxes.

Credit: Sophos

The first message reads: “This document contains links that may refer to other files. Do you want to update this document with the data from the linked files?”

If the user clicks “Yes”, a second message asks the user’s permission to run a command, as follows: “The remote data (k powershell -w hidden -NoP -NoExit -) is not accessible. Do you want to start the application C:\windows\system32\cmd.exe?”

The text in parentheses and the program names referenced at the end varies depending on the code used, Sophos said.

Clicking “No” on either box stops the attack.

Sophos said users can also protect themselves by viewing all emails in plain text.

What do you know about the history of mobile messaging? Find out with our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

BT Identifies 2,000 Potential Cyberattacks Signals Every Second

Level of cyberthreats revealed, after BT says it spots 2,000 signals of potential cyberattacks every…

2 days ago

CMA Cites Higher Prices Post Vodafone, Three Merger, Demands Changes

The British competition regulator has provisionally found competition concerns over Vodafone’s planned merger with Three…

2 days ago

Microsoft Cuts Hundreds Of Gaming Staff

Post Activision - Microsoft Gaming confirms it will axe 650 employees, after thousands of job…

2 days ago

SpaceX Polaris Dawn Crew Carry Out First Commercial Spacewalk

Billionaire Jared Isaacman and SpaceX’s Sarah Gillis become first non-professional astronauts to carry out risky…

3 days ago

Government To Classify UK Data Centres As Critical Infrastructure

Data centres in the UK are to designated as Critical National Infrastructure (CNI), alongside energy…

3 days ago

Irish Watchdog Launches Inquiry Into Google AI Model

Google's protection of EU users' personal data when training its AI model, is under investigation…

3 days ago