View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Microsoft Office zero-day attacks target Word users

The Zero-day has yet to be patched.

By Hannah Williams

It has been revealed by researchers that a critical Microsoft Office zero-day attack has been targeting Word users since late January. The yet-to-be-patched vulnerability lets hackers remotely execute code on a targeted computer by luring users into opening a Word document which contains an embedded exploit.

Security researchers from McAfee and FireEye discovered that the attack works on all Microsoft Office versions, including the latest Office 2016 that runs on Windows 10, which security experts had previously had faith in as one of the most secure OS.

Explaining the zero-day in detail, FireEye explained:

“When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious .hta file, which appears as a fake RTF file. The Microsoft HTA application loads and executes the malicious script. In both observed documents the malicious script terminated the winword.exe process, downloaded additional payload(s), and loaded a decoy document for the user to see. The original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link.”

Therefore, as McAfee believes, the threat could be used to deliver multiple types of malware. Due to the it being a logical bug, it can also navigate around any memory-based mitigations.

Read more: Microsoft takes a back seat to Philip Hammond and security

“The successful exploit closes the bait Word document, and pops up a fake one to show the victim. In the background, the malware has already been stealthily installed on the victim’s system,” said McAfee in a blogpost.

zero day 1

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester






FireEye confirmed that its researchers had shared details of the vulnerability with Microsoft and had been working with the tech giant for several weeks in request for public disclosure along with the release of a patch by the company.

Following this, both McAfee and FireEye have advised Microsoft Office users to apply the patch once it is available.

McAfee also advised:

“Do not open any Office files obtained from untrusted locations. According to our tests, this active attack cannot bypass the Office Protected View, so we suggest everyone ensure that Office Protected View is enabled, said McAfee.”

According to reports, a patch for the Microsoft Office zero-day could be released by the tech giant as early as tomorrow, April 11th.


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.