In this post, we provide a technical analysis of how this CVE is being exploited in the wild. Threat actors wasted no time in putting this zero day vulnerability to ill-use before Microsoft provided a fix in September’s Patch Tuesday. CVE-2021-40444, however, is a Microsoft Office MSHTML Remote Code Execution Vulnerability that requires no macros and only a single approval to “display content”. Macro-based attacks, however, require an extra social engineering step or two as such functionality has to be explicitly approved by the user on a per-document basis.
These typically attempt to infect users through maliciously crafted Word or Excel files received as an attachment or as a download link via email. Microsoft Office has long been a common attack vector, with abuse of its macro functionality a firm favorite of phishing and malspam attacks.
