An as yet-unpatched Windows security hole could allow attackers to trigger the execution of malware using code built into Outlook emails, researchers have warned.
DDE has been built into Windows since 1993, but two weeks ago Sophos said attackers had begun using the feature maliciously.
“Since its reveal this week, many attackers are leveraging the trick to deploy remote-access Trojans (RATs),” wrote Sophos researcher Mark Loman in an advisory.
The computer security firm said DDE was being exploited via attachments such as Word or Excel files.
Such attachments are commonly used to spread malware using malicious macros, but the use of DDE means the malware could run even if users have macros disabled.
Microsoft said it considers DDE a legitimate feature, and as such it isn’t clear whether the company plans to issue a patch, according to Sophos.
Over the weekend the firm reported it may also be possible ot trigger DDE malware in Outlook via emails or calendar invites formatted with Microsoft Outlook Rich Text Format.
Doing so means the exploit runs without the user having to open an attachment, Sophos said.
“By putting the code into the email message body itself, the attack comes one step closer, meaning that the social engineering needed to talk a recipient into falling for it becomes easier,” the firm said in a second advisory on Sunday.
The attack isn’t fully automated, however, and still requires tricking users into clicking “Yes” on two successive dialogue boxes. Sophos said it isn’t yet aware of any means of bypassing the dialogue boxes.
The first message reads: “This document contains links that may refer to other files. Do you want to update this document with the data from the linked files?”
If the user clicks “Yes”, a second message asks the user’s permission to run a command, as follows: “The remote data (k powershell -w hidden -NoP -NoExit -) is not accessible. Do you want to start the application C:\windows\system32\cmd.exe?”
The text in parentheses and the program names referenced at the end varies depending on the code used, Sophos said.
Clicking “No” on either box stops the attack.
Sophos said users can also protect themselves by viewing all emails in plain text.
What do you know about the history of mobile messaging? Find out with our quiz!
Rights group argues ChatGPT tendency to generate false information on individuals violates GDPR data protection…
European Commission says Apple's iPadOS is 'gatekeeper' due to large number of businesses 'locked in'…
As the cloud continues to be an essential asset for all businesses, developing and maintaining…
Internatinal conference in Vienna calls for controls on AI-powered autonomous weapons to ensure humans remain…
Major Taiwan chip assembly and test firm KYEC to sell Jiangsu subsidiary, exit mainland China…
As deepfake technology continues to blur the lines between reality and deception, businesses and individuals…