Live Active security incident? Get immediate response
MITRE ATT&CK® Mitigation

T1173: Dynamic Data Exchange Mitigation

Registry keys specific to Microsoft Office feature control security can be set to disable automatic DDE/OLE execution. [1] [2] [3] Microsoft also created, and enabled by default, Registry keys to completely disable DDE execution in Word and Excel. [4]

Ensure Protected View is enabled [5] and consider disabling embedded files in Office programs, such as OneNote, not enrolled in Protected View. [6] [3]

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent DDE attacks and spawning of child processes from Office programs. [7] [6]

EnterpriseT1173MitigationObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Historical object

This ATT&CK object is revoked or deprecated in the current MITRE ATT&CK release.

It remains available for historical context and inbound links. Use current ATT&CK relationships and replacement guidance before basing detection or reporting work on this page.

Glexia's Take

Analyst summary pending validation

Glexia publishes ATT&CK takes only after source-hash and schema validation. Until then, use the official MITRE definition below and the defensive relationship context on this page.

Official MITRE ATT&CK definition

Dynamic Data Exchange Mitigation

Registry keys specific to Microsoft Office feature control security can be set to disable automatic DDE/OLE execution. [1] [2] [3] Microsoft also created, and enabled by default, Registry keys to completely disable DDE execution in Word and Excel. [4]

Ensure Protected View is enabled [5] and consider disabling embedded files in Office programs, such as OneNote, not enrolled in Protected View. [6] [3]

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent DDE attacks and spawning of child processes from Office programs. [7] [6]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
93575fb7c1966814...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle Deprecated 93575fb7c196…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Microsoft DDE Advisory Nov 2017

    Microsoft. (2017, November 8). Microsoft Security Advisory 4053440 - Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields. Retrieved November 21, 2017.

    Open source URL
  2. [2]
    BleepingComputer DDE Disabled in Word Dec 2017

    Cimpanu, C. (2017, December 15). Microsoft Disables DDE Feature in Word to Prevent Further Malware Attacks. Retrieved December 19, 2017.

    Open source URL
  3. [3]
    GitHub Disable DDEAUTO Oct 2017

    Dormann, W. (2017, October 20). Disable DDEAUTO for Outlook, Word, OneNote, and Excel versions 2010, 2013, 2016. Retrieved February 3, 2018.

    Open source URL
  4. [4]
    Microsoft ADV170021 Dec 2017

    Microsoft. (2017, December 12). ADV170021 - Microsoft Office Defense in Depth Update. Retrieved February 3, 2018.

    Open source URL
  5. [5]
    Microsoft Protected View

    Microsoft. (n.d.). What is Protected View?. Retrieved November 22, 2017.

    Open source URL
  6. [6]
    Enigma Reviving DDE Jan 2018

    Nelson, M. (2018, January 29). Reviving DDE: Using OneNote and Excel for Code Execution. Retrieved February 3, 2018.

    Open source URL
  7. [7]
    Microsoft ASR Nov 2017

    Brower, N. & D'Souza-Wiltshire, I. (2017, November 9). Enable Attack surface reduction. Retrieved February 3, 2018.

    Open source URL
  8. [8]
    mitre-attack T1173
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use