An as yet-unpatched Windows security hole could allow attackers to trigger the execution of malware using code built into Outlook emails, researchers have warned.
DDE has been built into Windows since 1993, but two weeks ago Sophos said attackers had begun using the feature maliciously.
“Since its reveal this week, many attackers are leveraging the trick to deploy remote-access Trojans (RATs),” wrote Sophos researcher Mark Loman in an advisory.
The computer security firm said DDE was being exploited via attachments such as Word or Excel files.
Such attachments are commonly used to spread malware using malicious macros, but the use of DDE means the malware could run even if users have macros disabled.
Microsoft said it considers DDE a legitimate feature, and as such it isn’t clear whether the company plans to issue a patch, according to Sophos.
Over the weekend the firm reported it may also be possible ot trigger DDE malware in Outlook via emails or calendar invites formatted with Microsoft Outlook Rich Text Format.
Doing so means the exploit runs without the user having to open an attachment, Sophos said.
“By putting the code into the email message body itself, the attack comes one step closer, meaning that the social engineering needed to talk a recipient into falling for it becomes easier,” the firm said in a second advisory on Sunday.
The attack isn’t fully automated, however, and still requires tricking users into clicking “Yes” on two successive dialogue boxes. Sophos said it isn’t yet aware of any means of bypassing the dialogue boxes.
The first message reads: “This document contains links that may refer to other files. Do you want to update this document with the data from the linked files?”
If the user clicks “Yes”, a second message asks the user’s permission to run a command, as follows: “The remote data (k powershell -w hidden -NoP -NoExit -) is not accessible. Do you want to start the application C:\windows\system32\cmd.exe?”
The text in parentheses and the program names referenced at the end varies depending on the code used, Sophos said.
Clicking “No” on either box stops the attack.
Sophos said users can also protect themselves by viewing all emails in plain text.
What do you know about the history of mobile messaging? Find out with our quiz!
Level of cyberthreats revealed, after BT says it spots 2,000 signals of potential cyberattacks every…
The British competition regulator has provisionally found competition concerns over Vodafone’s planned merger with Three…
Post Activision - Microsoft Gaming confirms it will axe 650 employees, after thousands of job…
Billionaire Jared Isaacman and SpaceX’s Sarah Gillis become first non-professional astronauts to carry out risky…
Data centres in the UK are to designated as Critical National Infrastructure (CNI), alongside energy…
Google's protection of EU users' personal data when training its AI model, is under investigation…