It appears so. I assume most are by now monitoring the script engines, rundll32, command shell, etc.. startup from Word. I recently added csc.exe for the various .Net engines after I saw that was being used maliciously to compile a .Net executable on the fly.
More info here: https://www.scmagazine.com/phishers...stribute-dnsmessenger-malware/article/699918/https://www.scmagazine.com/phishers...stribute-dnsmessenger-malware/article/699918/ . This SEC attack is Powershell based.
Also noteworthy is Enigma reported this issue to Microsoft in April, 2017. As noted in the article, it is possible to bypass Word's "Protected View" mode with these attacks. https://enigma0x3.net/2017/07/13/phishing-against-protected-view/
It is also not just Word that has been vulnerable to DDE attacks as noted by this Flash exploit last year: ScarCruft APT Group Used Latest Flash Zero Day in Two Dozen Attacks https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/
Simply by blocking child process execution, you can stop this attack. SpyShelter also monitors DDE execution. For example, it will block VT Uploader from launching the browser via DDE.