DDE_Exploit - description
- Last Updated: May 1, 2026
- 1 minute read
- Flowmon Products
- Flowmon Anomaly Detection System
- Documentation
Sources:
- DNSMessenger: A new malware that uses DNS for communications
- Hancitor malspam uses DDE attack
- Necurs Botnet malspam pushes Locky using DDE attack
- Necurs attackers now want to see your desktop
Attackers have shifted from using Microsoft Word documents with malicious macros to documents that exploit Microsoft's Dynamic Data Exchange (DDE) technique. This method is less effective than macro attacks because users must click through several warning messages before infection occurs. Attackers typically distribute these documents as email attachments, which can deliver various threats including Locky ransomware.
Flowmon ADS detects network traffic when systems download malicious files through DDE exploits and when infected systems communicate with command and control (C&C) servers.
