{
	"id": "a84e42d2-283e-49a7-9df7-aab8298a78dc",
	"created_at": "2026-04-06T00:12:49.387185Z",
	"updated_at": "2026-04-10T03:22:04.997268Z",
	"deleted_at": null,
	"sha1_hash": "cf55ddd86dc426bfa7f19829b9b133ac366fc55a",
	"title": "Reviving DDE: Using OneNote and Excel for Code Execution",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1840199,
	"plain_text": "Reviving DDE: Using OneNote and Excel for Code Execution\r\nBy Matt Nelson\r\nPublished: 2018-01-29 · Archived: 2026-04-05 19:47:38 UTC\r\nTL;DR: You can achieve DDE execution with Excel SpreadSheets embedded within OneNote. This bypasses the\r\noriginal Excel mitigation ruleset (Microsoft has released a patch to properly mitigate this) as well as the Protected\r\nView sandbox 🙂\r\nDynamic Data Exchange (DDE) has been a hot topic as of late. For those unfamiliar with DDE, it is designed to\r\ntransfer data between two applications. In 2014, Contextis put out a nice blog post on using DDE in Microsoft\r\nExcel for code execution by utilizing the “=DDE()” formula.\r\nThen, on October 9th 2017, SensePost released a really great blog post on abusing the DDEAUTO field code in\r\nMicrosoft Word to get code execution. Shortly after, various malware families adopted the technique and it was\r\nquickly seen in the wild.\r\nAfter seeing a spike in malicious use, Will Dormann (@wdormann) of US-CERT published some registry changes\r\nthat would widely mitigate most DDE threats. These changes disabled DDE and prevented links from\r\nautomatically updating for Word and Excel. Will added a OneNote block after sharing the details outlined below\r\nwith him privately. Unfortunately the only fix was to completely kill embedded files, which is less than ideal. You\r\ncan find these registry changes here: https://gist.github.com/wdormann/732bb88d9b5dd5a66c9f1e1498f31a1b\r\nThis guidance was really helpful to those dealing with actors using DDE techniques more and more. Then, on\r\nNovember 8th 2017, Microsoft published an official post that outlines mitigating the DDE threat for those who\r\ndon’t use the protocol in their environment, which was released under Advisory ADV170021 with additional\r\ndocumentation here. These mitigations were largely just for Word and it involved preventing any execution\r\nentirely as opposed to stopping automatic link updating. In addition to this post, Microsoft also\r\nstated that Protected View will prevent automatic DDE execution and that users should open untrusted documents\r\nwith caution.\r\nAfter seeing these new DDE mitigation recommendations, I became curious how these were handled when\r\nexecuted from within a different Office application, such as Publisher or OneNote. At the time, Will\r\nDormann’s gist was the only source for mitigation options in other Office apps (such as Excel) as Microsoft only\r\nreleased official guidance for Word.\r\nSo, why OneNote? Well, it allows a user to embed Excel spreadsheets into a note document and then save it. This\r\nprovides the end user the ability to reference or use Excel features directly within OneNote. As you may know,\r\nyou can abuse DDE in Excel to get code execution! Ideally, Will’s Excel registry changes to stop DDE attacks\r\nwould apply to any Excel sheets embedded in OneNote. Unfortunately, this wasn’t the case.\r\nWhen implementing Will’s Excel registry change (specifically “DDEAllowed” set to DWORD 0), you will see\r\nsomething like this when opening a spreadsheet that contains a DDE formula:\r\nhttps://posts.specterops.io/reviving-dde-using-onenote-and-excel-for-code-execution-d7226864caee\r\nPage 1 of 8\n\nExcel DDE Blocked via Registry Mitigations\r\nSo, the Excel DDE block is working as expected. Now, let’s look at OneNote. In order to utilize the Excel\r\nfunctionality in OneNote, you can go to “SpreadSheet” under the “Files” tab and either import an existing Excel\r\nSpreadsheet or create a new one.\r\nSo, OneNote allows us to import an existing spreadsheet. What happens if we import a DDE-laced spreadsheet?\r\nFirst, we need to create it. Ryan Hanson (@ryhanson) put out a tweet showing that you can manipulate the\r\nwarning box during DDE execution and change the binary name. This can be helpful as you can change it to\r\nsomething like “MSEXCEL.exe” instead of displaying “cmd.exe” or “powershell.exe”.\r\nhttps://posts.specterops.io/reviving-dde-using-onenote-and-excel-for-code-execution-d7226864caee\r\nPage 2 of 8\n\nSource: https://twitter.com/ryHanson/status/918598525792935936\r\nAfter adding that formula to an Excel spreadsheet and saving it, we can now test it to ensure it displays properly.\r\nTo do so, I have removed the Excel DDE mitigation registry changes.\r\nExecution without registry mitigations applied\r\nGreat, so it works. Next, let’s test it with Will’s Excel registry changes applied:\r\nhttps://posts.specterops.io/reviving-dde-using-onenote-and-excel-for-code-execution-d7226864caee\r\nPage 3 of 8\n\nExcel DDE Blocked via Registry Mitigations\r\nAwesome, so these changes do indeed block the Excel DDE POC that we have just created. Now that we have our\r\nDDE spreadsheet ready and tested, we can import it into OneNote by going to “Insert-\u003eSpreadSheet-\u003eExisting\r\nExcel SpreadSheet”\r\nOneNote will ask you to browse to the file you want to import, which will be the previously created DDE laced\r\nspreadsheet. Next, it will ask you if you want to attach the file or insert the spreadsheet. We will do “Insert\r\nSpreadSheet”\r\nhttps://posts.specterops.io/reviving-dde-using-onenote-and-excel-for-code-execution-d7226864caee\r\nPage 4 of 8\n\nOneNote will then import the spreadsheet and during that process, it will attempt to execute your DDE command.\r\nTo prevent that, simply click “No”\r\nImporting weaponized Excel Sheet\r\nhttps://posts.specterops.io/reviving-dde-using-onenote-and-excel-for-code-execution-d7226864caee\r\nPage 5 of 8\n\nFinally, save the OneNote file. At this point, that OneNote file has a DDE laced Excel SpreadSheet directly\r\nembedded in it. Now, let’s see what happens when the Excel SpreadSheet is accessed from within the OneNote\r\nfile with the Excel DDE mitigation registry changes in place:\r\nDDE execution despite Excel registry changes\r\nClicking “Yes” results in the command being executed:\r\nDDE execution despite Excel registry changes\r\nhttps://posts.specterops.io/reviving-dde-using-onenote-and-excel-for-code-execution-d7226864caee\r\nPage 6 of 8\n\nSo, despite blocking DDE in Excel via “DDEAllowed”, the functionality is still there when accessed through\r\nOneNote. After chatting with Will Dormann, the only working mitigation is to set “DisableEmbeddedFiles” to 1.\r\nThis obviously kills all file embedding functionality as a side-effect, which isn’t great for usability.\r\nAs mentioned above, one of Microsoft’s statements notes that Protected View will prevent the DDE vectors when\r\noriginating from an untrusted source (such as the internet). This is the case for most Office applications as any\r\ncontent originating from an untrusted source is opened in a sandbox first. OneNote, however, is not enrolled\r\nin Protected View and will not trigger it when pulled from the internet.\r\nIf a user has OneNote installed, an attacker can embed a weaponized Excel spreadsheet into a OneNote file and\r\nsend it to a victim via a weblink or an email attachment. When the user receives the OneNote file and opens the\r\nembedded spreadsheet, it will not open in Protected View and they will simply be presented with the DDE prompt\r\n(which you can tamper with as demonstrated above):\r\nDemo of DDE execution from the internet (bypassing Protected View sandbox)\r\n*It should be noted that the Protected View aspect was reported to MSRC on April 20th, 2017 and it was\r\ndeemed not a security issue.\r\nSo, what can you do? Well, at the time, the only mitigation was to completely kill embedding in OneNote. This\r\nwas reported to Microsoft on October 10th of 2017 and on January 9th, 2018 they pushed out an update to all\r\nOffice versions going back to 2007. The Excel update was added to the already existing Advisory ADV170021, in\r\nwhich that advisory now details how to implement mitigations for both Excel and Word (since it was previously\r\nonly Word that was available). Additional documentation can be found here.\r\nThis update created a value you can add under Microsoft Excel’s security options in the registry. By setting\r\n“DisableDDEServerLaunch” to DWORD 1, DDE will effectively be neutered for Excel. This is important because\r\nhttps://posts.specterops.io/reviving-dde-using-onenote-and-excel-for-code-execution-d7226864caee\r\nPage 7 of 8\n\nOneNote itself wasn’t entirely interesting. It was the embedded Excel functionality that made this attack work. By\r\nadding mitigation options for Excel, users can protect themselves from this attack.\r\nAdditionally, you can employ Attack Surface Reduction (ASR) rules in Windows 10 1709 to prevent not only\r\nDDE attacks, but other attacks where an Office program is spawning a child process. You can read more on\r\nASR here.\r\n-Matt N.\r\nSource: https://posts.specterops.io/reviving-dde-using-onenote-and-excel-for-code-execution-d7226864caee\r\nhttps://posts.specterops.io/reviving-dde-using-onenote-and-excel-for-code-execution-d7226864caee\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://posts.specterops.io/reviving-dde-using-onenote-and-excel-for-code-execution-d7226864caee"
	],
	"report_names": [
		"reviving-dde-using-onenote-and-excel-for-code-execution-d7226864caee"
	],
	"threat_actors": [],
	"ts_created_at": 1775434369,
	"ts_updated_at": 1775791324,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cf55ddd86dc426bfa7f19829b9b133ac366fc55a.pdf",
		"text": "https://archive.orkl.eu/cf55ddd86dc426bfa7f19829b9b133ac366fc55a.txt",
		"img": "https://archive.orkl.eu/cf55ddd86dc426bfa7f19829b9b133ac366fc55a.jpg"
	}
}