Weaponized Microsoft 365 and MS Office 2019 documents relying on 0-Day exploits threatening security despite ‘Protected View’ mitigation?

Weaponized Documents RCE Microsoft Office 365
Weaponized Documents can bypass even Protected View security? Pic credit: Asheshwor/Flickr

Microsoft recently hinted at an actively exploited security vulnerability that is using Microsoft 365 and MS Office 2019 documents. These weaponized documents can cause a lot of harm by downloading and executing malicious payloads.

The Internet Explorer MSHTML Remote Code Execution (RCE) vulnerability is currently out in the open. Officially tagged and tracked as CVE-2021-40444, the exploit can potentially compromise network security protocols.

MSHTML Remote Code Execution (RCE) vulnerability relies on malicious ActiveX controls to exploit Office 365 and Office 2019:

The CVE-2021-40444 is quite concerning. Back when Microsoft disclosed the security loophole, the company did not offer many details. However, security researchers have been uncovering some serious potential of the exploit.

Microsoft had indicated the vulnerability uses malicious ActiveX controls to exploit Office 365 and Office 2019 on Windows 10. The exploit spreads through weaponized MS documents and tries to download and install malware on an affected computer.

Multiple security researchers have been warning about the security vulnerability. What’s even more concerning is that the same security loophole works with weaponized RTF files.

Microsoft has shared some ways to mitigate or prevent ActiveX controls from running in Internet Explorer, effectively blocking the current attacks. However, security researcher Kevin Beaumont has already discovered how to bypass Microsoft’s temporary workaround.

Needless to mention, with the newly-discovered bypass, and new file types to weaponize, the CVE-2021-40444 is getting more powerful and dangerous.

Microsoft 365 and MS Office 2019 ‘Protected View’ does offer some protection from weaponized documents but user behavior remains a serious problem:

Microsoft Office has a ‘Protected View’ feature. Technical jargon aside, the feature essentially blocks multiple aspects of any document obtained from the Internet.

When MS Office opens any document, it checks if it has a “Mark of the Web” (MoTW) tag. As the name indicates, the tag identifies the document as originated from the Internet.

The Protected View feature will only allow the document to open in a Read-only mode. This effectively blocks the CVE-2021-40444 0-Day exploit.

Needless to mention, many users have the habit of quickly clicking the ‘Enable Editing’ button to gain complete control over the document. This behavior undermines the security feature and allows the exploit to work.

What’s even more concerning is the fact that not all Microsoft Office documents that originate from the internet may have the MoTW flag. Threat actors can cleverly manipulate the medium and popular containers such as 7Zip to ensure the documents ship and arrive without the MoTW tag.

Simply put, threat actors can bypass the Protected View defense mechanism to launch the CVE-2021-40444 0-Day exploit. New reports about the exploit indicate the ultimate payload is installing a Cobalt Strike beacon

This can allow the threat actor to gain remote access to the device. Once the attacker successfully gains remote access to victims’ computers, multiple security exploits become possible.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x