We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Exploit:O97M/DDEDownloader.C
Aliases: No associated aliases
Summary
Microsoft Defender Antivirus detects and removes this threat.
This threat misuses the Dynamic Data Exchange (DDE) message protocol to deliver malware on target devices. Attackers typically send phishing emails with malicious .doc file attachments and take advantage of the Windows DDE protocol to launch PowerShell scripts and perform remote code execution.
To learn more about mitigating DDE attack scenarios, read:
Microsoft Defender Antivirus automatically removes threats as they are detected. If you have cloud-delivered protection, your device gets the latest defenses against new and unknown threats. If you don't have this feature enabled, update your antimalware definitions and run a full scan to remove this threat.
- Check whether the detected file and its associated process are active. Also determine whether the file arrived through a phishing email or whether it was downloaded from the internet.
- Turn off the registry key HKEY_CURRENT_USER\Software\Microsoft\Office\<version>\Excel\Security that is specific to Microsoft Office feature.
- Turn off Microsoft Office macros and enforce “Protected View” if possible because this threat often takes advantage of the ability to socially engineer users into clicking "Enable Macros" or to not enable “Protected View” as a way to launch arbitrary code.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
