MITRE ATT&CK Technique
Description
Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution. Object Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by [Component Object Model](https://attack.mitre.org/techniques/T1559/001), DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys.(Citation: BleepingComputer DDE Disabled in Word Dec 2017)(Citation: Microsoft ADV170021 Dec 2017)(Citation: Microsoft DDE Advisory Nov 2017) Microsoft Office documents can be poisoned with DDE commands, directly or through embedded files, and used to deliver execution via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros.(Citation: SensePost PS DDE May 2016)(Citation: Kettle CSV DDE Aug 2014)(Citation: Enigma Reviving DDE Jan 2018)(Citation: SensePost MacroLess DDE Oct 2017) Similarly, adversaries may infect payloads to execute applications and/or commands on a victim device by way of embedding DDE formulas within a CSV file intended to be opened through a Windows spreadsheet program.(Citation: OWASP CSV Injection)(Citation: CSV Excel Macro Injection ) DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). DDE execution can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-02-12T14:10:50.699Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may use Windows Dynamic Data Exchange (DDE) to '
'execute arbitrary commands. DDE is a client-server protocol '
'for one-time and/or continuous inter-process communication '
'(IPC) between applications. Once a link is established, '
'applications can autonomously exchange transactions '
'consisting of strings, warm data links (notifications when a '
'data item changes), hot data links (duplications of changes '
'to a data item), and requests for command execution.\n'
'\n'
'Object Linking and Embedding (OLE), or the ability to link '
'data between documents, was originally implemented through '
'DDE. Despite being superseded by [Component Object '
'Model](https://attack.mitre.org/techniques/T1559/001), DDE '
'may be enabled in Windows 10 and most of Microsoft Office '
'2016 via Registry keys.(Citation: BleepingComputer DDE '
'Disabled in Word Dec 2017)(Citation: Microsoft ADV170021 Dec '
'2017)(Citation: Microsoft DDE Advisory Nov 2017)\n'
'\n'
'Microsoft Office documents can be poisoned with DDE commands, '
'directly or through embedded files, and used to deliver '
'execution via '
'[Phishing](https://attack.mitre.org/techniques/T1566) '
'campaigns or hosted Web content, avoiding the use of Visual '
'Basic for Applications (VBA) macros.(Citation: SensePost PS '
'DDE May 2016)(Citation: Kettle CSV DDE Aug 2014)(Citation: '
'Enigma Reviving DDE Jan 2018)(Citation: SensePost MacroLess '
'DDE Oct 2017) Similarly, adversaries may infect payloads to '
'execute applications and/or commands on a victim device by '
'way of embedding DDE formulas within a CSV file intended to '
'be opened through a Windows spreadsheet program.(Citation: '
'OWASP CSV Injection)(Citation: CSV Excel Macro Injection )\n'
'\n'
'DDE could also be leveraged by an adversary operating on a '
'compromised machine who does not have direct access to a '
'[Command and Scripting '
'Interpreter](https://attack.mitre.org/techniques/T1059). DDE '
'execution can be invoked remotely via [Remote '
'Services](https://attack.mitre.org/techniques/T1021) such as '
'[Distributed Component Object '
'Model](https://attack.mitre.org/techniques/T1021/003) '
'(DCOM).(Citation: Fireeye Hunting COM June 2019)',
'external_references': [{'external_id': 'T1559.002',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1559/002'},
{'description': ' Albinowax Timo Goosen. (n.d.). CSV '
'Injection. Retrieved February 7, '
'2022.',
'source_name': 'OWASP CSV Injection',
'url': 'https://owasp.org/www-community/attacks/CSV_Injection'},
{'description': ' Ishaq Mohammed . (2021, January '
'10). Everything about CSV Injection '
'and CSV Excel Macro Injection. '
'Retrieved February 7, 2022.',
'source_name': 'CSV Excel Macro Injection ',
'url': 'https://blog.securelayer7.net/how-to-perform-csv-excel-macro-injection/'},
{'description': 'Cimpanu, C. (2017, December 15). '
'Microsoft Disables DDE Feature in '
'Word to Prevent Further Malware '
'Attacks. Retrieved December 19, '
'2017.',
'source_name': 'BleepingComputer DDE Disabled in '
'Word Dec 2017',
'url': 'https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/'},
{'description': 'El-Sherei, S. (2016, May 20). '
'PowerShell, C-Sharp and DDE The '
'Power Within. Retrieved November 22, '
'2017.',
'source_name': 'SensePost PS DDE May 2016',
'url': 'https://sensepost.com/blog/2016/powershell-c-sharp-and-dde-the-power-within/'},
{'description': 'Hamilton, C. (2019, June 4). Hunting '
'COM Objects. Retrieved June 10, '
'2019.',
'source_name': 'Fireeye Hunting COM June 2019',
'url': 'https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html'},
{'description': 'Kettle, J. (2014, August 29). Comma '
'Separated Vulnerabilities. Retrieved '
'November 22, 2017.',
'source_name': 'Kettle CSV DDE Aug 2014',
'url': 'https://www.contextis.com/blog/comma-separated-vulnerabilities'},
{'description': 'Microsoft. (2017, December 12). '
'ADV170021 - Microsoft Office Defense '
'in Depth Update. Retrieved February '
'3, 2018.',
'source_name': 'Microsoft ADV170021 Dec 2017',
'url': 'https://portal.msrc.microsoft.com/security-guidance/advisory/ADV170021'},
{'description': 'Microsoft. (2017, November 8). '
'Microsoft Security Advisory 4053440 '
'- Securely opening Microsoft Office '
'documents that contain Dynamic Data '
'Exchange (DDE) fields. Retrieved '
'November 21, 2017.',
'source_name': 'Microsoft DDE Advisory Nov 2017',
'url': 'https://technet.microsoft.com/library/security/4053440'},
{'description': 'Nelson, M. (2018, January 29). '
'Reviving DDE: Using OneNote and '
'Excel for Code Execution. Retrieved '
'February 3, 2018.',
'source_name': 'Enigma Reviving DDE Jan 2018',
'url': 'https://posts.specterops.io/reviving-dde-using-onenote-and-excel-for-code-execution-d7226864caee'},
{'description': 'NVISO Labs. (2017, October 11). '
'Detecting DDE in MS Office '
'documents. Retrieved November 21, '
'2017.',
'source_name': 'NVisio Labs DDE Detection Oct 2017',
'url': 'https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/'},
{'description': 'Stalmans, E., El-Sherei, S. (2017, '
'October 9). Macro-less Code Exec in '
'MSWord. Retrieved November 21, 2017.',
'source_name': 'SensePost MacroLess DDE Oct 2017',
'url': 'https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/'}],
'id': 'attack-pattern--232a7e42-cd6e-4902-8fe9-2960f529dd4d',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'execution'}],
'modified': '2025-10-24T17:48:31.581Z',
'name': 'Dynamic Data Exchange',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.4'}