On September 7, 2021, Microsoft released a statement warning of targeted attacks attempting to exploit a remote code vulnerability found in Office 365 and Office 2019 on Windows 10. The vulnerability involves a zero-day remote code execution in MSHTML, which is Internet Explorers main HTML component.
CVE-2021-40444 is a vulnerability that becomes exploited when attackers create specially crafted, malicious Microsoft Office documents using ActiveX control. After sending the document, the attacker then tries to convince the victim to open the document so they can gain user rights on a system. Victims with administrative user rights over documents are more susceptible to these attacks than those who have less user rights.
Cyber Security researchers state that the exploit uses logical flaws and is dangerous – with a rating of 8.8 out of 10 on the Common Vulnerability Scoring System. There are currently no patches for the vulnerability, but Microsoft has published mitigations and workarounds to help keep your organization safe. If you have not already taken the steps to help protect your systems, please do so now by reading our recommendations below.
We are currently pushing known IoCs to our managed SIEMs.