{
	"id": "ddc50a12-e57e-485e-b3f0-7a22a055ad7c",
	"created_at": "2026-04-06T00:18:18.136265Z",
	"updated_at": "2026-04-10T03:35:53.045206Z",
	"deleted_at": null,
	"sha1_hash": "4ff7fe6d8159129f3ad9f1eec2d09aa3539037a1",
	"title": "Microsoft Disables DDE Feature in Word to Prevent Further Malware Attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 626647,
	"plain_text": "Microsoft Disables DDE Feature in Word to Prevent Further Malware\r\nAttacks\r\nBy Catalin Cimpanu\r\nPublished: 2017-12-15 · Archived: 2026-04-05 18:45:47 UTC\r\nAs part of the December 2017 Patch Tuesday, Microsoft has shipped an Office update that disables the DDE feature in Word\r\napplications, after several malware campaigns have abused this feature to install malware.\r\nDDE stands for Dynamic Data Exchange, and this is an Office feature that allows an Office application to load data from\r\nother Office applications. For example, a Word file can update a table by pulling data from an Excel file every time the Word\r\nfile is opened.\r\nDDE is an old feature, which Microsoft has superseded via the newer Object Linking and Embedding (OLE) toolkit, but\r\nDDE is still supported by Office applications.\r\nhttps://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nDDE feature abused to install malware\r\nIn October 2017, security researchers from SensePost published a tutorial on how the DDE feature could be weaponized and\r\nabused to distribute malware.\r\nEven if DDE has been abused to distribute malware in the '90s, the new methods explained in the SensePost tutorial were\r\nquickly adopted by malware distributors, first by FIN7, a group of hackers specialized in hitting financial organizations, and\r\nthen by distributors of mundane malware.\r\nAt the time, Microsoft did not consider DDE a vulnerability in the Office suite but said it was just another legitimate feature\r\nabused to distribute malware.\r\nThe reason why Microsoft did not consider DDE attacks to be security issues is that Office shows warnings before opening\r\nthe files. This is just another case where malware authors have found a creative way of abusing a legitimate feature, like\r\nwith OLE and macros, for which Microsoft also warns users before running.\r\nDecember 2017 Patch Tuesday disables DDE in Word\r\nAs new campaigns leveraging the DDE technique started to become more widespread, Microsoft's security team slowly\r\nbegan to change its mind.\r\nThe first sign was when Microsoft put out Security Advisory 4053440 in mid-October, which contained details about how\r\nusers could disable the DDE feature in Office applications that support it, such as Word, Outlook, and Excel.\r\nThis past Tuesday, Microsoft took a radical step to disable DDE inside Word altogether. This has been done by Office\r\nDefense in Depth Update ADV170021.\r\nThis update adds a new Windows registry key that controls the DDE feature's status for the Word app. The default value\r\ndisables DDE. Here are registry key's values, if users need to re-enable DDE in Word.\r\n1. In the Registry Editor navigate to \\HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\version\\Word\\Security\r\nAllowDDE(DWORD)\r\n2. Set the DWORD value based on your requirements as follows:\r\nAllowDDE(DWORD) = 0: To disable DDE. This is the default setting after you install the update.\r\nAllowDDE(DWORD) = 1: To allow DDE requests to an already running program, but prevent DDE requests that require\r\nanother executable program to be launched.\r\nAllowDDE(DWORD) = 2: To fully allow DDE requests.\r\nMicrosoft has paid close attention to DDE's recent abuse so much so that ADV170021 also included updates for Word 2003\r\nand 2007, two versions it officially stopped supporting.\r\nThe company is aware that many users and enterprises still deploy these two versions and has delivered an out-of-band\r\nemergency update to protect customers from further abuse.\r\nMicrosoft will continue to support DDE inside Excel and Outlook, where this feature will remain enabled by default. The\r\ncompany advises users to read Security Advisory 4053440, where it details methods to disable DDE support via GUI\r\noptions or Windows registry modifications.\r\nhttps://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/\r\nhttps://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/"
	],
	"report_names": [
		"microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks"
	],
	"threat_actors": [
		{
			"id": "9de1979b-40fc-44dc-855d-193edda4f3b8",
			"created_at": "2025-08-07T02:03:24.92723Z",
			"updated_at": "2026-04-10T02:00:03.755516Z",
			"deleted_at": null,
			"main_name": "GOLD LOCUST",
			"aliases": [
				"Anunak",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Silicon "
			],
			"source_name": "Secureworks:GOLD LOCUST",
			"tools": [
				"Carbanak"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf",
			"created_at": "2023-01-06T13:46:38.405479Z",
			"updated_at": "2026-04-10T02:00:02.961112Z",
			"deleted_at": null,
			"main_name": "FIN7",
			"aliases": [
				"ATK32",
				"G0046",
				"G0008",
				"Sangria Tempest",
				"ELBRUS",
				"GOLD NIAGARA",
				"Coreid",
				"Carbanak",
				"Carbon Spider",
				"JokerStash",
				"CARBON SPIDER"
			],
			"source_name": "MISPGALAXY:FIN7",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f4f16213-7a22-4527-aecb-b964c64c2c46",
			"created_at": "2024-06-19T02:03:08.090932Z",
			"updated_at": "2026-04-10T02:00:03.6289Z",
			"deleted_at": null,
			"main_name": "GOLD NIAGARA",
			"aliases": [
				"Calcium ",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Navigator ",
				"Sangria Tempest ",
				"TelePort Crew "
			],
			"source_name": "Secureworks:GOLD NIAGARA",
			"tools": [
				"Bateleur",
				"Carbanak",
				"Cobalt Strike",
				"DICELOADER",
				"DRIFTPIN",
				"GGLDR",
				"GRIFFON",
				"JSSLoader",
				"Meterpreter",
				"OFFTRACK",
				"PILLOWMINT",
				"POWERTRASH",
				"SUPERSOFT",
				"TAKEOUT",
				"TinyMet"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "bfded1cf-be73-44f9-a391-0751c9996f9a",
			"created_at": "2022-10-25T15:50:23.337107Z",
			"updated_at": "2026-04-10T02:00:05.252413Z",
			"deleted_at": null,
			"main_name": "FIN7",
			"aliases": [
				"FIN7",
				"GOLD NIAGARA",
				"ITG14",
				"Carbon Spider",
				"ELBRUS",
				"Sangria Tempest"
			],
			"source_name": "MITRE:FIN7",
			"tools": [
				"Mimikatz",
				"AdFind",
				"JSS Loader",
				"HALFBAKED",
				"REvil",
				"PowerSploit",
				"CrackMapExec",
				"Carbanak",
				"Pillowmint",
				"Cobalt Strike",
				"POWERSOURCE",
				"RDFSNIFFER",
				"SQLRat",
				"Lizar",
				"TEXTMATE",
				"BOOSTWRITE"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82",
			"created_at": "2022-10-25T16:07:23.619566Z",
			"updated_at": "2026-04-10T02:00:04.690061Z",
			"deleted_at": null,
			"main_name": "FIN7",
			"aliases": [
				"APT-C-11",
				"ATK 32",
				"G0046",
				"Gold Niagara",
				"GrayAlpha",
				"ITG14",
				"TAG-CR1"
			],
			"source_name": "ETDA:FIN7",
			"tools": [
				"7Logger",
				"Agentemis",
				"Anubis Backdoor",
				"Anunak",
				"Astra",
				"BIOLOAD",
				"BIRDWATCH",
				"Bateleur",
				"Boostwrite",
				"CROWVIEW",
				"Carbanak",
				"Cobalt Strike",
				"CobaltStrike",
				"DICELOADER",
				"DNSMessenger",
				"FOWLGAZE",
				"HALFBAKED",
				"JSSLoader",
				"KillACK",
				"LOADOUT",
				"Lizar",
				"Meterpreter",
				"Mimikatz",
				"NetSupport",
				"NetSupport Manager",
				"NetSupport Manager RAT",
				"NetSupport RAT",
				"NetSupportManager RAT",
				"POWERPLANT",
				"POWERSOURCE",
				"RDFSNIFFER",
				"Ragnar Loader",
				"SQLRAT",
				"Sardonic",
				"Sekur",
				"Sekur RAT",
				"TEXTMATE",
				"Tirion",
				"VB Flash",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434698,
	"ts_updated_at": 1775792153,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4ff7fe6d8159129f3ad9f1eec2d09aa3539037a1.pdf",
		"text": "https://archive.orkl.eu/4ff7fe6d8159129f3ad9f1eec2d09aa3539037a1.txt",
		"img": "https://archive.orkl.eu/4ff7fe6d8159129f3ad9f1eec2d09aa3539037a1.jpg"
	}
}