But then it's really not much better than spamming a .ps1 or .js script (handled by Windows Script Host by default), or even straight up executable as many already do.
If they're at that level then there's really not much you can do but avoid having them get the stuff in the first place.
So can this, it'd be fairly trivial to detect and block anything using DDE at the file level - however a common strategy is to send an encrypted archive file and give the password in the email to bypass that detection. Trashing all encrypted archives automatically.... ehh, maybe viable?
If they're at that level then there's really not much you can do but avoid having them get the stuff in the first place.