Office 365 Users Are Being Targeted By This Highly Sophisticated Zero-Day Security Threat

Security researchers say they discovered and reported to Microsoft a "highly sophisticated" zero-day attack vector in Windows that targets Office 365 and Office 2019 users. In some cases, simply opening an infected document would be enough to compromise a PC. Furthermore, there does not yet exist a patch, though one is on the way.

In a Twitter post, cybersecurity outfit EXPMON said it notified Microsoft of the flaw over on Sunday and has been "working tirelessly over the holiday weekend to protect users." EXPMON also said it was able to reproduce the attack method on a typical user environment.

Microsoft released a security bulletin (CVD-2021-40444) saying it is investigation the situation, and is aware of targeted attacks that aim to exploit the vulnerability by way of specially-crafted Office documents. It affects Windows 8.1, Windows 10, and Windows Server 2008 through 2019, and carries a severity rating of 8.8 (out of 10).

"An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights," Microsoft explains.

The remote code execution flaw resides in MSHTML, also known as Trident, which is the rendering engine for Internet Explorer. Microsoft has shifted focus to its retooled Edge browser in the browser space, but many companies still use and rely on IE for various reasons.

Fortunately, default configurations in Office prevent this vulnerability from being exploited, because unless the settings are changed, documents from the web are opened in Protected View or Application Guard. According to Microsoft, these both mitigate the attack. Keeping antivirus software up to date should also help.

"Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protections for the known vulnerability. Customers should keep antimalware products up to date. Customers who utilize automatic updates do not need to take additional action. Enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments," Microsoft says.

In addition, Microsoft says a workaround to thwart the zero-day vulnerability is to disable ActiveX controls on individual systems.