DDE (Dynamic Data Exchange) is a very old and almost forgotten feature of Microsoft Office. Designed to automate the exchange of data between applications, it can be easily exploited to execute arbitrary code without any macro or other active content.

About one month ago, samples of office documents exploiting DDE to spread ransomware have been found in the wild. Security vendors quickly updated their products in order to detect and block such threats.

Unfortunately there are may ways to leverage DDE, some of which are quite elusive. Over the last few weeks new ways to exploit DDE eluding detection have been found and security vendors reacted with variable speed. Here, for example, is a sample of a .doc file that we posted on VirusTotal over three weeks ago. At that time no AV engine detected it, today, about one month later, less than one third of the engines detect it and some big names are among the ones that don’t.

Now, we just created a new .xls sample that is currently detected by ZERO engines according to VirusTotal. This sample is harmless, it just demonstrates how to leverage DDE eluding detection: it uses DDE to launch powershell which in turn launches calc.exe. Once you manage to execute powershell you can let it dynamically download code from a remote website and execute it. This specific sample demonstrates how to exploit DDE without being detected, we’ve tested also harmful samples (using powershell to download and execute malicious code) with the same outcome.


As you can see from the screenshot above, the sample is currently undetected by all of the engines running on VirusTotal.

You can download the sample from VirusTotal, we also added this sample to our Email Security Tester, a service that sends you a few emails containing different types of threats in order to test your email security setup.


Rodolfo Saccani


This is the presentation that I used in my speech at the 2017 Security Summit in Milan.

Security Summit, organized by ClusIt, is the most important security event in Italy. My speech was about protecting from unknown threats delivered via email, the focus was on the relationship between pragmatism and security.

In this post I will go through the items of this speech.


The source of today’s security issues lays mainly in the great complexity of the systems we use, such complexity creates a big attack surface. If we link such a big attack surface to the strong motivations to violate our systems, mainly due to the ransomware and phishing business, we can understand why today the new threats, not yet known, are daily business. We’ve seen about 30 thousand new ransomware variants in 2016, which means tens of new threats every day. The security systems, in order to be effective, must be able to intercept such threats even if they don’t know them in advance.

Security systems, in computer science like in the physical world, must be maintained as simple as possible because complexity is the enemy of security. It reduces the reliability and increases the attack surface.

Some security solutions are more oriented towards marketing needs rather than security needs. A sanboxe based on virtual machines, for example, is a system even more complex than the one it should defend: it is a windows system virtualized in an environment instrumented with additional software that tries to observe the malware without being observed in turn by the malware itself. This must be done with short analysis times, typically within two minutes, not to excessively encumber on the company workflows (and to contain costs).

The malware authors have the very same sandboxes that we use, the malware can be tested in such sandboxes before being released. Malware authors quickly learned to trick the sandbox. While the sandbox has just a couple of minutes to provide a response, the malware, once it has infected the PC, has all the time to manifest itself, it can just wait some time not to be identified by the sandbox. The sandbox started tricking the malware into believing that time passed faster and malware learned how to use this characteristic to detect the sandbox. This very simplified example just to say that the etrnal fight between attack and defense just moved into a different environment without changing the background pattern. In this new environment it’s who defends the one in disadvantage.

But a sandbox is a strong marketing argument because complexity sells more than pragmatism.

These sandboxes are exceptional tools for the analysis and the study of the malware, but when they are used as filters they show many weaknesses and they offer a discrete attack surface. A few days ago at Pwn2Own, a cybersecurity contest, one team managed to escape from the vm and compromise the host. With just a click on a link. Imagine a malware that compromises the sandbox in order to infect all the analyzed files … how does it sound?

So, let’s use the complexity prudently and only where we really need it, knowing that every increase in complexity reduces the security, it has a cost.

Protecting from file-based threats

About the file-based threats, in my speech I’ve performed, along with the audience, the analysis of the problem starting from square zero. Let’s analyze the problem again starting from scratch and let’s add complexity until we’ve reached our goal.

Le’ts start from the “firewall” approach. Do you remember when on the firewall we used to close selectively the ports? All ports open by default except the ones we decided to close. Then we inverted this logic: everything is closed and we selectively open based on what we actually need. This simple change of paradigm alone drastically improved security.

Let’s have the same approach. Do we really need executables attacched to our emails? Do we need .exe, .js and so on? No, we don’t. The experience of over one billion emails per month tells us that we don’t need such files, removing them doesn’t impact on the company workflows, so let’s block them without even analyzing them.
Your technician of the IT dept needs to receive jar files? Fine, let’s add an exception for him. Firewall approach. Everything is blocked and we selectively unblock.

Very simple solution, trivial, to remove most of the attack vectors.
We still have the documents though. Office documents, pdf files, such formats now are so complex that they can contain code that can do anything. What do we do with those? For sure we can’t block them.

Ok, it’s time for a one notch increase in complexity. One step towards a greater complexity justified by a real need. Let’s do it.

Let’s analyze the document. Does it contain code or not? If not, it goes through. Firewall approach. But what if it does contain code? For sure we can’t block all the spreadsheets with a macro! Right.

One more notch of complexity is justified. let’s do it.
Now that we know that the document contains code, let’s roll up our sleeves and let’s inspect what it does. Does it perform calculations in a spreadsheet, other automation that is normal in a document? Ok, let’s define a set of safe operatione and let them go through. Firewall approach. This analysis can be done quickly and safely, let’s do it.

Great, we’ve given green light to documents with innocuous macros. What about the other ones? We can’t block them all, we risk creating some disservice.

Ok, one more notch of complexity. Why don’t we “clean” these files that we classified as “suspect”? We can remove the “active” content, the macro, the embedded ocx object, the javascript code in a pdf. Let’s remove such code and deliver an innocuous document. It can still be used as a document, but without code.

Here we are. We just need the finishing touches: define what to do with encrypted documents that we cannot analyze (easy, we block them because today they are one of the biggest vehicles of ransomware), and what to do in the unlucky case where a malware manages to crash my sandbox in order not to be identified: in this case we categorize it as “indeterminate” and by default we remove all the active content. It’s a simple good programming practice to foresee the case where someone manages to perform sabotage on your sandbox (we still see sandboxes that in such conditions let go through the malware that managed to undermine them).

Finally, let’s make configurable by the sysadmin the behaviour in case of safe, suspect, encrypted and indeterminate documents, so that the admin can decide what to let go through, what to block and what to “clean”. Let’s also make sure that everytime we modify a file we keep the original copy so that it can be recovered, should it be needed.

At this point the goal is reached, we protected from file-based attacks, including the ones that are not yet known, and we did it with the simplest solution possible. An analysis and a selective cleaning that are fast, that can be done while the mail is being analysed by the antispam engine, without uploading your files on a third party cloud service, without compliance and privacy issues, without introducing delays that impact on the workflows. Goal achieved with minimal complexity and minimal attack surface.

Protecting from malicious links

So? Should we absolutely avoid complexity in any case? No
We should just use complexity where we need it without fear but considering it a cost that must be justified.

For example, complexity is more than justified to protect from malicious URLs.

The most frequent attack today is a mail coming from a legit sender (whose account is being used illegally), with a short and very generic text, which contains a link to a legit site (infected five minutes ago) on which has been injected a malware that installs itself just visiting that page. One click and you get the ransomware.

This type of attack is a big problem because such a mail could slip through and not be identified as malicious. When the email is being analyzed, we rewrite the URL so that instead of pointing to that page, it now points to our sandbox, we’ll see that here a complex sandbox is justified. Let’s buy some time because time is on our side, the more time passes and the easier it will be of us to identify a legit site that has just been infected, so let’s just rewrite the URL and postpone the analysis to the very last possible moment: at the moment of the click.

Whe the click happens, the user’s browser lands in our sandbox which, only in this very moment, visits the page and analyzes it. It follows the redirects, it visits the page from multiple locations in order to highlight evasion techniques, it evaluates how it presents itself to the search engines, it looks for infection traces, phishing attempts and so on.

Let’s not economize complexity because here it is useful and pays back. Most importantly, here is the sandbox that is advantaged: thee malware cannot wait, it must immediately manifest itself, the infection must happen when the page is loaded. Also, the available techniques in order to hide from sandboxes are limited and we, visiting the page in many ways and from different “places”, can identify them. This is a huge advantage: just putting in place evasion techniques reveals the presence of the malware, including the most complex and not jet known one, making it extremely vulnerable to our analysis.

Here is where the complexity is justified.

If you want to go deeper, here there is an explanation about how the file analysis works and here the one for the URLs.


Rodolfo Saccani, Security R&D Manager at Libra Esva

There is a big illicit business out there and it’s driven by a simple old trick: deception.
Deception is at the base of many online black and gray activities, from click baiting to ransomware.

Pair deception with email and what you get is email phishing.
The target of e-mail phishing campaigns is inducing the victim to perform an action at the advantage of the attacker. It’s as simple as this.

In order to induce you to perform an action against your own interest, the attacker uses the following deception tools:
– a message that grabs your attention
– a sense of urgency
– a call-to-action

What if I tell you that your Apple account has been disabled and that you won’t be able to use your devices until you fix it?
What if you happen to know that money has just been withdrawn from your bank account? Maybe you should check immediately.
What if your mailbox quota has been exceeded and you won’t receive emails until you act?
Of course there are also incredible offers or you may be the winner of a great prize or maybe a young beautiful girl wants to know you.

I guess you’ve already experienced some of these messages, if not all of them.

So far for grabbing attention and transmitting a sense of urgency. What about the call-to-action?
The call-to-action, as usual, varies from clicking on a link to land on a site that drops it’s infective payload or asks you to enter personal information to opening an attachment.

It’s important to note, though, the difference between mass phishing and targeted phishing, also known as spearphishing.
Spearphishing is phishing targeted to a specific person, building a credible message based on knowledge gathered on social networking sites or other sources. Spearphihing is much more difficult to detect.

For the first Libra Esva Partner Event, in may 2016, I’ve done an interesting experiment. I’ve used the open source framework gophish to create a phishing campaign in order to assess, in practice, how effective such campaigns are.
Gophish is one among many tools that make it easy to create and phishing campaigns, it assists you in the whole process from the creation of the email template and landing page to the real time metrics and analytics. It’s a complete framework, it also acts as a web server to serve your phishing site.

Such phishing tools are particularly valuable for training your users not to fall for real phishing. You can run, for example, a phishing campaign on the employees of your company and then follow-up with a training session. The phishing campaign has both the advantage of measuring the effectiveness of your training over time and also to make the training more effective by attaching it to a real and direct experience.

In my test, I created a fake LinkedIN contact request by grabbing the content of a real LinkedIN email. I also grabbed the content of a LinkedIN loging page to create my phishing landing page. Then I sent the phishing email to all the participants to the Partner Event.
The numbers suprised all of us.
We sent 44 emails, 24 of which have been opened. A respectable open rate of 54%.
18 “targets” clicked on the link and landed on our fake login page: 75% click-throug-rate.
We don’t know whether they attempted to enter their credentials or not because the page didn’t submit any data, it just informed the user of the phishing experiment when they pressed the “submit button”.

results of phishing test

In the end, 40% of the “targets” ended up clicking on the link and this is all you need in order to get infected.
40% is a huge number considering that this was a very security-literate audience.
Remember: just clicking on a random link can get you infected. If you are not convinced about this just have a look at a the security fixes that Microsoft releases every second Tuesday of the month, search for the ones flagged as “remote code execution vulnerability”.

Phishing is a real danger because it is effective and very affordable. The good news is that with a reasonable effort you can use phishing to rise awareness among your users and make your training more effective.

How can an email security appliance help with phishing?

The standard spam fighting techniques are not sufficient for phishing. Phishing emails often closely resemble real emails from your bank, your service provider, you colleagues. They often come from legit end-user email accounts illicitly used with passwords coming from database breaches (don’t reuse your passwords, use a password manager) or from infected computers. Content analysis must rely on the detection of subtle differences.

Besides AV engines, filename and filetype policies, nested archive scanning, Libra ESVA provides “ESVA Labs” which is based on collaborative detection and expert analysis. Administrators and users of our appliances can report false positives and false negatives to our ESVA Labs. These reports are immediately delivered to us along with the internal analysis performed by ESVA and most of them are very pertinent. We don’t have to dig through hundreds of thousands of non-pertinent reports and we can quickly analyze them. Our analysis team updates and releases new detection rules usually within 30 minutes form the report, the new detection rules are automatically downloaded by all ESVA appliances every hour. Being quickly reactive is the key to fight phishing.

Rodolfo Saccani