Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4690
Views
5
Helpful
8
Replies

Filter E-Mails DDE Office (Word documents)

it.infrastructure
Level 1
Level 1

‎10-13-2017 11:29 PM - last edited on ‎03-25-2019 04:54 PM by Community Manager

Hello,

 

somebody already filtering successfully Word documents with DDE inside?

Some background information:

https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/

https://blog.cloudmark.com/2017/10/10/newly-disclosed-vulnerability-in-ms-word-allows-code-execution-without-macros-enabled/

http://blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html

 

DDE is NOT detected by Macro detection.

Yes, CISCO AMP could find malicious documents, but in my opinion it could make sense to filter every document for untrusted sender and store it to quarantaine.

 

Regards

 

Marc

3 people had this problem
Labels:
0 Helpful
8 Replies 8

pierre-emmanuel.pardon
Level 1
Level 1

‎10-16-2017 02:43 AM

Hello @all,

 

We are working on a filter (see bellow) which is able to match DDE but unfortunately we are stuck with the limitation of the conditions which "operates in a unary form"of attachment.
https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117856-qanda-esa-00.html

 

DDE_match: if (attachment-contains("{ *DDE(|AUTO)", 1)) { log-entry("DDE_match: $MatchedContent"); }

 

Here is an example of what we are looking for:
{ DDE excel "C:\\My Documents\\Profits.xls" "Sheet1!R1C1:R4C4" \a \p }
{ DDEAUTO excel "C:\\My Documents\\Profits.xls" "Sheet1!R1C1:R4C4" \p }

 

In fact, the need is quite straightforward: we want to search a specific pattern inside an Office document (which is compressed). Is it possible?

 

to be continued...

0 Helpful

Devrim Kalmaz
Level 1
Level 1
In response to pierre-emmanuel.pardon

‎10-20-2017 03:24 AM

also looking for a solution,

0 Helpful

it.infrastructure
Level 1
Level 1
In response to Devrim Kalmaz

‎10-20-2017 04:08 AM

Hello,

 

i have tested Mail filter at cli with attachement-contains (like second post) but did not find something inside DOCX.

I have tested content filter (GUI) with attachement-contains, also no luck :-(

anybody found a working solution?

 

Cisco TAC opened, they have also not found a solution with example document i sent them.

 

Regards

0 Helpful

Devrim Kalmaz
Level 1
Level 1
In response to it.infrastructure

‎10-20-2017 04:14 AM

i also opened a TAC today,waiting for response,

0 Helpful

daro
Level 1
Level 1
In response to pierre-emmanuel.pardon

‎10-20-2017 04:35 AM

TAC did not find a reliable way to filter DDE enabled office files:

 

This threat should be already detected by the AMP and AV on the ESA as confirmed below by Talos :

http://blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html

 

There are Content Filter conditions to detect macros and then perform the desired action for example add a warning template. However, there is no Message/Content Filter condition to detected DDE and/or DDEAUTO enabled document files.

 

If you know something that can be used by filters to look for to detect this type of files ,Then we can create a custom content filter to look for the text that is contained in the attachment itself ,

In your case you need to add a condition “attachment-contains("Unexpected", 1)” , as the syntax of the test word document you’re using will be changed to “Unexpected End of Formula”

 

But in case of the real exploit , am not sure if this is the exact syntax that is contained in the attachment ,

 

it.infrastructure
Level 1
Level 1
In response to daro

‎10-20-2017 01:10 PM

Hello @Aliki,

 

seems to be tricky :-(

Anybody from CISCO following/reviewing this thread?

 

Filter for DDE(AUTO) would be more than helpful.

 

In meantime we got information from different sources that this kind of documents are used to spread locky ransomware with email.

 

Of course, AMP and AV will block malicious emails.

But, in my personal opinion, AV can not detect any malicious document (very fast changing).

Also there is a risk that AMP will not detect with using of sandbox evasion techniques.

 

So, also in my personal opinion, the safest way would be to have a way to move DDE(AUTO) documents to quarantine, like the already possible way for macro enabled documents

 

Would be glad about every answer, every opinion, every hint for filter.

 

In meantime, this could help on client site:

https://gist.github.com/wdormann/732bb88d9b5dd5a66c9f1e1498f31a1b

 

Regards

 

Marc 

0 Helpful

it.infrastructure
Level 1
Level 1
In response to it.infrastructure

‎10-20-2017 01:46 PM

Hello,

 

one example from ESA, received yesterday (spoofed mail):

 

DOCX Document

Analysis of SHA256 from Sandbox :

https://www.hybrid-analysis.com/sample/31b8c756f789cd865060085b48e8c7c20ee1612eb897e3c044564dfd669894b8?environmentId=100

 

ESA is showing on message tracking:

 

2017-10-20 22_36_14-Message Details - Internet Explorer.png

 

The message was scanned by Sophos: Clean (!)

CISCO AMP : Clean (!)

 

Later. file has changed AMP status, Retrospective Verdict Changes

I do not know it was changed later?

Maybe somebody can explain me this?

Why is the file first classified as clean and after some hours as malicious?

So the file is already inside user mailbox :-(

 

Regards

 

Marc

0 Helpful

daro
Level 1
Level 1
In response to it.infrastructure

‎10-25-2017 12:43 AM

can you find the initial ThreatGrid report in your ESA File Analysis Dashboard?
0 Helpful
Customers Also Viewed These Support Documents