Full Report
This article is for non-technical people who want to keep themselves and their companies safe from realistic threats. Short and sweet. In 2017 we saw a number of phishing techniques used successfully. This was largely due to the release of a handful of highly effective methods which are still being used. In this article we’ll cover what these are. Dynamic Data Exchange (DDE) Payloads – CVE-2017-0199 / CVE-2017-8759 A technique that results in remote access without the use of macros. DDE is a protocol in MS Office products which allows applications to share data between each other. Some functions provided by this protocol allow the execution of commands, which can be abused by attackers to download malware.
Analysis Summary
# Tool/Technique: Dynamic Data Exchange (DDE) Payloads
## Overview
A technique allowing attackers to achieve remote access to a target system without needing to use macros. DDE is a legitimate protocol within MS Office products used for inter-application data sharing. Attackers abuse certain DDE functions to execute arbitrary commands, often used to download and install malware.
## Technical Details
- Type: Technique
- Platform: MS Office Products (Windows)
- Capabilities: Command execution via legitimate protocol interaction, malware download initiation.
- First Seen: Relevant CVEs point to exploitation activity around 2017.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- TA0002 - Execution
- T1204 - User Execution
- T1204.002 - Malicious File
## Functionality
### Core Capabilities
- Abusing DDE protocol to run operating system commands embedded within Office documents (e.g., `cmd.exe` execution).
- Instructing the application to download secondary malware payloads from remote servers.
### Advanced Features
- Bypasses typical macro-based security warnings, as it leverages a different, often less scrutinized, communication mechanism between Office components.
## Indicators of Compromise
- File Hashes: N/A (Focus is on document content/behavior)
- File Names: Documents (DOCX, XLS, etc.) leveraged to host the malicious DDE link.
- Registry Keys: N/A
- Network Indicators: Connections made by the executed command to download payloads (e.g., HTTP/HTTPS connections).
- Behavioral Indicators: Opening a document/spreadsheet triggering a prompt stating: "**This document contains fields that may refer to other files.**" followed by command execution.
## Associated Threat Actors
The article implies this technique was widely adopted by threat actors following the public disclosure of the vulnerabilities (CVE-2017-0199 / CVE-2017-8759).
## Detection Methods
- Signature-based detection: Specifically looking for DDE field syntax abuse within document files.
- Behavioral detection: Monitoring for Office applications spawning command shells (`cmd.exe` or PowerShell) upon document opening.
## Mitigation Strategies
- Patching MS Office against related CVEs (CVE-2017-0199, CVE-2017-8759).
- Monitoring for the specific warning prompt related to linking to external files.
## Related Tools/Techniques
- Macro-based attacks (although DDE is often used to *avoid* macro warnings).
***
# Tool/Technique: PowerPoint Presentation Actions (Mouse Over/Run Program)
## Overview
Attackers abuse the "Action" features within Microsoft PowerPoint, specifically coupling the "Mouse Over" trigger with the "Run program" action, to execute arbitrary code or download malware when a user simply moves their mouse cursor over a specific area of the presentation slide.
## Technical Details
- Type: Technique
- Platform: MS Office Products (PowerPoint)
- Capabilities: Executing arbitrary programs upon user interaction (mouse movement).
- First Seen: Implied active usage leading up to 2018.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- TA0002 - Execution
- T1204 - User Execution
- T1204.002 - Malicious File
## Functionality
### Core Capabilities
- Embedding a command (often a download/execution sequence) linked to a "Mouse Over" event in a presentation object.
- Utilizing the PPS (PowerPoint Show) format to ensure the file opens immediately in presentation mode, maximizing the chance of accidental triggering.
### Advanced Features
- The interaction is subtle (mere cursor movement), potentially leading to lower user suspicion than explicit clicking.
## Indicators of Compromise
- File Hashes: N/A
- File Names: PPS format files are commonly used to facilitate direct presentation launch.
- Network Indicators: Outbound connections initiated by the executed command.
- Behavioral Indicators: Opening a PPS file triggering a seemingly unrelated security warning ("Microsoft has identified a potential security concern") followed by execution.
## Associated Threat Actors
Threat actors leveraging file format abuse for initial access.
## Detection Methods
- Behavioral detection: Monitoring PowerPoint processes for spawning external executables (e.g., `cmd.exe`, `powershell.exe`).
- File scanning for embedded actions or scripts within presentation objects.
## Mitigation Strategies
- Disabling or restricting the use of 'Action' buttons or 'Run Program' settings in Office security policies.
- User training to be suspicious of unexpected security prompts upon opening presentations.
## Related Tools/Techniques
- OLE Object embedding.
***
# Tool/Technique: Credential Phishing via Document Prompt
## Overview
A social engineering technique where an infected document (e.g., Word) contains a link pointing to an attacker-controlled HTTPs server. When the document is opened, instead of executing code directly, it triggers a Windows Authentication Prompt, tricking the user into entering their domain or VPN credentials, which are then harvested by the attacker.
## Technical Details
- Type: Technique
- Platform: Windows (targeting credential prompts in Office documents)
- Capabilities: Credential harvesting via prompt imitation.
- First Seen: Highly effective traditional method still in use.
## MITRE ATT&CK Mapping
- TA0006 - Credential Access
- T1110 - Brute Force
- T1555 - Credentials from Password Stores
- T1555.005 - Cloud Instance Metadata API (Less direct, but credential harvesting is the goal)
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
## Functionality
### Core Capabilities
- Displaying a believable Windows authentication dialog box requiring user input.
- Capturing the entered credentials and sending them to an external, attacker-controlled HTTPs server.
### Advanced Features
- Leverages user habit/trust in familiar system prompts.
- Credentials can subsequently be used for VPN access or further lateral movement (Ruler style attacks mentioned).
## Indicators of Compromise
- File Hashes: N/A
- File Names: DOC, DOCX documents containing embedded external references configured to trigger authentication prompts.
- Network Indicators: Outbound connection to the attacker-controlled HTTPs server at the time the prompt is answered.
- Behavioral Indicators: A genuine, locally generated Windows authentication prompt appearing immediately after opening a document.
## Associated Threat Actors
Widely used across various threat actor Tiers due to its simplicity and effectiveness.
## Detection Methods
- Network monitoring for documents making immediate outbound connections to external web servers upon loading.
- Endpoint monitoring for applications triggering credential prompt windows outside of expected system flows.
## Mitigation Strategies
- Deploying MFA across all services, especially VPNs, to render harvested credentials useless or less impactful.
- Disabling automatic connection to external resources triggered by documents if possible via policy.
## Related Tools/Techniques
- Direct credential harvesting malware.
***
# Tool/Technique: Microsoft Office Memory Corruption (CVE-2017-11882)
## Overview
An extremely dangerous, unpatched (at the time of the article) memory corruption vulnerability affecting Microsoft Office, specifically exploitable upon opening an RTF or DOC file. This results in **immediate remote access** without requiring any user interaction (no warnings, no macro enablement).
## Technical Details
- Type: Vulnerability / Exploit Payload Delivery
- Platform: Microsoft Office (Windows)
- Capabilities: Immediate remote code execution (RCE) upon file open.
- First Seen: Vulnerability discovered in 2017.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter
## Functionality
### Core Capabilities
- Exploiting a flaw in memory handling (heap overflow/corruption) within the Office application engine.
- Achieving arbitrary code execution simply by launching the malicious file.
- Delivering and downloading secondary malware payloads post-exploitation.
### Advanced Features
- **Zero-interaction:** This technique bypasses user awareness entirely, unlike macro or DDE methods that require user confirmation or interaction.
## Indicators of Compromise
- File Hashes: N/A (Specific hashes would be dependent on the delivered exploit variant)
- File Names: **RTF** and **DOC** extensions are explicitly called out as common delivery vectors.
- Network Indicators: Outbound connections used to pull down the final malware payload.
- Behavioral Indicators: No visible warning prompts; immediate execution following file opening.
## Associated Threat Actors
Any actor prioritizing high-impact, low-trace methods likely used exploits targeting this vulnerability.
## Detection Methods
- **Patch Management:** Applying the relevant Microsoft security update is the primary defense.
- Endpoint monitoring for memory corruption events related to Office processes.
## Mitigation Strategies
- **IMMEDIATE PATCHING:** Ensure MS Office is fully updated to remediate CVE-2017-11882.
- Advising users never to open unsolicited DOC or RTF files, even if they appear to be from a known source, until patching is confirmed.
## Related Tools/Techniques
- Other memory-based exploits targeting Office parsing engines.
***
## General Administrative Mitigation Strategies (From Article)
Blocking the following email attachments is recommended:
* DOC
* RTF
* XLS
* PPS
* CPL
* DOCM
* XBAP
* APPLICATION