Cyber Alert

Unpatched Zero-Day Exploit Detected Targeting Microsoft Office

Cyber Defence Team
April 11, 2017


Threat Overview:

A previously undisclosed vulnerability has been identified in the wild, affecting unpatched versions of Microsoft Office and Microsoft Windows Operating Systems.

The vulnerability relates to the Windows OLE (Object Linking and Embedding) function, found in Microsoft Windows and Office software, which allows an application to link to and embed content in other documents, and is being leveraged by malicious actors as a targeted attack vector for the installation of multiple malware variants. Analysis of the attack chain reveals an adversary sending the victim an email containing a word document as an attachment. When the targeted user opens this specifically crafted word document, the exploit, the winword.exe application is launched, triggering the download of a malicious HTA (HTML Application) file from a remote server controlled by the attacker. The .hta file is executable, allowing remote code execution capabilities on the target computer. The .hta file is disguised as an RTF (Rich Text Format) document in an attempt to evade current security countermeasures.

Importantly, this RTF is intended to act as a decoy, while the malicious HTML application continues to run in the background, downloading additional payloads and executing a malicious script to install malware onto the users system. The original winword.exe process is terminated in an attempt to hide a user prompt generated by the OLE2link.


  • The malicious office documents are detected as Malware.Binary.Rtf
  • This vulnerability is bypassing most mitigations
  • Attacks leveraging this vulnerability have been detected in the wild as far back as January 2017

Remediation & Mitigation

Microsoft is expected to release a patch shortly, which should be applied as soon as it is available. In the interim, the following measures can be taken to mitigate the impact of delivery of malware:

  • The use of Office Protected View when opening files can also help to stop the attack, with the exploit being disabled and subsequently prevented from executing when Office Protected View is used.
  • Symantec Email Security.Cloud customers should consider implementing a custom rule to detect attachment types associated with this attack, and either tag the subject of the original email upon delivery to the recipient inbox, or trigger an alert to the end user advising them that they have received a potentially malicious email, and to refrain from opening the attachment unless received from a trusted sender. For support or guidance in doing this, please contact your Infotrust Account Manager.
  • Advise users to refrain from opening office attachments from untrusted senders or locations.