I note from our monitoring that we have seen an uptick in tainted Office attachments or inline RTF documents that use DDE to launch malware or a downloader. The edge email gateway is now detecting the current batch of these as “Troj/DocDl-xxx” and Sophos end point is detecting these as “Torj/DocXX-xxx”.

Most people are “macro” savvy but DDE (which has been around for a long time) is a new method of propagating malware.

So if you receive an Office attachment via email and when you view it or open it you get a warning such as:

Clicking No will prevent the DDE attack from launching.

For those who click “Yes” at the first dialog then you will get another dialog warning that a command is about to be started similar to:

The “No” option is the way to prevent the attack.

If you do get documents that contain these, you should validate the senders email address and use an alternative method (not email) of contacting the sender to confirm their intent in sending the DDE documents.

Sophos Security Facebook video (no authentication required to view) https://www.facebook.com/SophosSecurity/videos/10155119823700017/

Naked Security article on the DDE attack https://nakedsecurity.sophos.com/2017/10/22/office-dde-attack-works-in-outlook-too-heres-what-to-do/

Also this Microsoft article on how to view all email messages as plain text https://support.microsoft.com/en-ca/help/831607/how-to-view-all-e-mail-messages-in-plain-text-format