There’s a new Office security bug that can be exploited with just an email or calendar invite as well as the more common infected Office document.
The new Office exploit uses the long-standing DDE system which allows Office documents to ‘talk’ to each other. Until told otherwise, best to assume that all versions of Office are affected because DDE has been a core part of Office for over two decades.
Microsoft, as usual, hasn’t commented. Customers can only hope the company is working on a fix.
Sophos first reported the DDE exploit arriving via Office documents.
Later someone figured the same exploit could be accessed via an email or calendar invite. That’s important because the email or invite version is trigged automatically. Users don’t have to open a document.
The good news
Happily, some dialog boxes appear in Outlook which should raise a ‘red flag’ to any cautious Office user.
Clicking ‘No’ to either of these dialog boxes will disable the attack.
“This document contains links that may refer to other files. Do you want to update this document with the data from the linked files?”
And then, something like this, but the commands/programs might differ.
“The remote data (k powershell -w hidden -NoP -NoExit -) is not accessible. Do you want to start the application C:\windows\system32\cmd.exe?”
Another safeguard would be to view all emails in plain text format. We don’t recommend that because many modern emails would be almost unreadable in a text rendering.
Of course, all the major security software makers know about this exploit and should have added it to their detection systems. As usual, make sure you have the latest update for Windows Defender and other AV software.