Sophos is aware of a new method of attack that allows the execution of malicious code on an email without the use of attachments or macros. Reports suggest that it is possible to run Dynamic Data Exchange (DDE) attacks in Microsoft Outlook using emails and calendar invites formatted using Microsoft Outlook Rich Text Format (RTF).
The following sections are covered:
After receiving a malicious RTF email with the DDE attack included the user needs to click Reply or Reply All to start the attack. The user will then be prompted with two warning boxes shown below, if they select No to either of these that attack will fail.
The attack may come in the form of a calendar invite instead of an email. If a user opens the invite from calendar then it will prompt the same two boxes where selecting No will also stop the attack.
Second warning (the text in parenthesis and the program names referenced at the end will vary):
If a user clicks Forward on one of these emails it will not trigger the attack; However, if the user receiving the forwarded email clicks Reply or Reply All then this will trigger the attack and the same warning boxes will be displayed.
Previous versions of this attack discovered recently, used malicious Microsoft Office documents to run the DDE attack without the use of Macros. For those attacks, an attachment was still required on the spam email. Sophos detects those emails/attachments in a number of ways:
For customers using Sophos Intercept X or Exploit Prevention these Microsoft Office attachments are also stopped by the Lockdown exploit protection.
The new DDE attack which does not use attachments and instead includes the malicious code in the body of the RTF email has not been seen in wide usage yet. For the spam samples Sophos has seen using this technique they are detected by Sophos email scanning products as:
Additionally in previous attacks where attachments were used, the payloads seen being download included the information stealing malware TrikBot, detected as: HPmal/TrikBot-* and the Locky ransomware, detected as: Troj/Locky-*
Further behavioral based detection capabilities in Sophos HIPS is being added.
For Sophos customers using the XG Firewall, SFOS or Cyberoam new IPS signatures have been added.
Note: As DDE is part of Microsoft office and considered a feature, the new IPS signatures are classed as Informational which means the traffic will be set to Allow by default. Customers wanting to block this traffic will need to select Drop Packet for the below signatures.
Educate users to the potential threat. The attack relies on user interaction and can be easily stopped by the user just clicking No on either of the two warning messages.
Ensure the security products used are following the best practice recommendations.
Additionally for Sophos Endpoint/Server customers, decrease the attack surface by choosing to block certain applications using Application Control. Script files such as .js, .wsf, .ps1 and HTML Applications .hta are commonly used by malware authors to install the malicious payloads on the computer. To block these, add the following to the blocked list:
.js, .wsf, .ps1
Note: Blocking applications can cause legitimate software to break, any changes should be tested before deploying in a live environment.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.