{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/office/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-23657"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["use-after-free","code-execution","office","cve-2026-23657"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn April 14, 2026, CVE-2026-23657 was published, detailing a use-after-free vulnerability affecting Microsoft Office Word. This vulnerability allows an attacker with local access to execute arbitrary code on a vulnerable system. Successful exploitation requires user interaction, as the victim must open a specially crafted Word document. Due to the nature of use-after-free vulnerabilities, attackers can potentially achieve arbitrary code execution by manipulating memory allocation after a pointer to freed memory is dereferenced. This poses a significant threat to organizations as successful exploitation can lead to data theft, system compromise, and further lateral movement within the network. The vulnerability has a CVSS v3.1 score of 7.8, indicating a high severity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious Microsoft Word document designed to trigger the use-after-free vulnerability (CVE-2026-23657).\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the malicious document to the victim, likely via email or shared file storage.\u003c/li\u003e\n\u003cli\u003eThe victim opens the malicious document in Microsoft Word.\u003c/li\u003e\n\u003cli\u003eThe crafted document exploits a weakness in memory management, freeing a memory region while a pointer to it is still in use.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the use-after-free condition to overwrite the freed memory with attacker-controlled data.\u003c/li\u003e\n\u003cli\u003eUpon dereferencing the dangling pointer, the corrupted data is executed, leading to code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code within the context of the user running Microsoft Word.\u003c/li\u003e\n\u003cli\u003eThe attacker may then install malware, steal sensitive information, or establish a persistent foothold on the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-23657 allows an attacker to execute arbitrary code on a vulnerable system with the privileges of the user running Microsoft Word. This can lead to the installation of malware, theft of sensitive data, and further compromise of the system and network. The impact of this vulnerability is significant, as Microsoft Word is widely used in organizations of all sizes, making it a valuable target for attackers. The potential for arbitrary code execution elevates this vulnerability to a high-risk level, demanding immediate attention from security teams.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch released by Microsoft to address CVE-2026-23657 on all systems running Microsoft Office Word. (Reference: \u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23657\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23657\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Word Child Process\u003c/code\u003e to detect potentially malicious processes spawned by Microsoft Word.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging to capture process execution events, ensuring the Sigma rule has the necessary data to function.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T12:00:00Z","date_published":"2026-04-15T12:00:00Z","id":"/briefs/2026-04-cve-2026-23657-word-uaf/","summary":"CVE-2026-23657 is a use-after-free vulnerability in Microsoft Office Word allowing a local attacker to execute arbitrary code with user privileges.","title":"Microsoft Word Use-After-Free Vulnerability CVE-2026-23657","url":"https://feed.craftedsignal.io/briefs/2026-04-cve-2026-23657-word-uaf/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["WINWORD.EXE","EXCEL.EXE","POWERPNT.EXE","MSPUB.EXE","MSACCESS.EXE"],"_cs_severities":["medium"],"_cs_tags":["wmi","image load","office","execution"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies suspicious image loading of \u003ccode\u003ewmiutils.dll\u003c/code\u003e from Microsoft Office processes (WINWORD.EXE, EXCEL.EXE, POWERPNT.EXE, MSPUB.EXE, MSACCESS.EXE). Adversaries can use this technique to execute code and evade traditional parent/child processes spawned from Microsoft Office products. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser opens a malicious Microsoft Office document (e.g., Word, Excel).\u003c/li\u003e\n\u003cli\u003eThe document contains a macro or exploit that triggers the execution of WMI commands.\u003c/li\u003e\n\u003cli\u003eThe Office application spawns a WMI process or utilizes existing WMI infrastructure.\u003c/li\u003e\n\u003cli\u003eThe WMI process loads the \u003ccode\u003ewmiutils.dll\u003c/code\u003e library, which is unusual for normal Office operations.\u003c/li\u003e\n\u003cli\u003eThe WMI commands execute malicious code, potentially downloading or executing further payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence through WMI event subscriptions or other methods.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement using WMI to execute commands on other systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code, establish persistence, and move laterally within the network, potentially leading to data exfiltration, system compromise, or ransomware deployment. While the number of victims is unknown, this technique can be used in targeted attacks against organizations that heavily rely on Microsoft Office applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious WMI Image Load from MS Office\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon event ID 7 (Image Loaded) logging for comprehensive image load monitoring as suggested in the \u003ca href=\"https://ela.st/sysmon-event-7-setup\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for Microsoft Office applications spawning WMI-related processes (e.g., \u003ccode\u003ewbemtest.exe\u003c/code\u003e, \u003ccode\u003ewmic.exe\u003c/code\u003e) to detect potential WMI abuse.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit lateral movement in case of a successful WMI-based attack.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"/briefs/2024-01-suspicious-wmi-image-load/","summary":"Adversaries may exploit Windows Management Instrumentation (WMI) to execute code stealthily, bypassing traditional security measures by loading `wmiutils.dll` from Microsoft Office applications, potentially indicating malicious execution.","title":"Suspicious WMI Image Load from MS Office","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-wmi-image-load/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Office","Microsoft Visual Studio"],"_cs_severities":["medium"],"_cs_tags":["persistence","office","vsto"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers can leverage Visual Studio Tools for Office (VSTO) add-ins to establish persistence within Microsoft Office applications. VSTO add-ins, designed to extend the functionality of Office applications, can be manipulated by threat actors to execute malicious code upon application startup. By modifying specific registry keys associated with VSTO add-ins, adversaries can ensure their code is loaded and executed each time an Office application is launched. This technique allows for covert and persistent access to compromised systems, enabling further malicious activities such as data exfiltration, lateral movement, or the deployment of additional payloads. The detection of this persistence mechanism is crucial for defenders to identify and mitigate potential compromises within their environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the target system via unspecified means (e.g., phishing, exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the registry keys associated with VSTO add-ins for Office applications (Outlook, Word, Excel, PowerPoint). These keys are typically located under \u003ccode\u003e\\Software\\Microsoft\\Office\\[Application]\\Addins\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the registry to add or modify entries related to a malicious VSTO add-in. This involves setting the \u003ccode\u003eLoadBehavior\u003c/code\u003e value to \u003ccode\u003e3\u003c/code\u003e to ensure the add-in is loaded on startup.\u003c/li\u003e\n\u003cli\u003eThe attacker places the malicious VSTO add-in files (DLLs) in a location accessible to the Office application.\u003c/li\u003e\n\u003cli\u003eThe attacker may also modify the \u003ccode\u003e\\Software\\Microsoft\\VSTO\\Security\\Inclusion\\\u003c/code\u003e registry key to bypass security warnings related to unsigned add-ins.\u003c/li\u003e\n\u003cli\u003eThe user launches the targeted Office application (e.g., Outlook).\u003c/li\u003e\n\u003cli\u003eThe Office application loads the malicious VSTO add-in based on the modified registry entries.\u003c/li\u003e\n\u003cli\u003eThe malicious VSTO add-in executes its payload, enabling the attacker to perform malicious activities on the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to achieve persistent code execution within Microsoft Office applications. This can lead to the compromise of sensitive data, the deployment of additional malware, and the establishment of a long-term foothold within the targeted environment. The scope of impact depends on the privileges of the user account and the capabilities of the malicious VSTO add-in. Since Office applications are commonly used, a successful attack could potentially affect a large number of users within an organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePotential Persistence Via Visual Studio Tools for Office\u003c/code\u003e to your SIEM to detect suspicious registry modifications related to VSTO add-ins.\u003c/li\u003e\n\u003cli\u003eMonitor registry modifications under the paths \u003ccode\u003e\\Software\\Microsoft\\Office\\Outlook\\Addins\\\u003c/code\u003e, \u003ccode\u003e\\Software\\Microsoft\\Office\\Word\\Addins\\\u003c/code\u003e, \u003ccode\u003e\\Software\\Microsoft\\Office\\Excel\\Addins\\\u003c/code\u003e, \u003ccode\u003e\\Software\\Microsoft\\Office\\Powerpoint\\Addins\\\u003c/code\u003e, and \u003ccode\u003e\\Software\\Microsoft\\VSTO\\Security\\Inclusion\\\u003c/code\u003e (see Sigma rule and references).\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted VSTO add-ins.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit installed Office add-ins to identify and remove any suspicious or unauthorized extensions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-vsto-persistence/","summary":"The Visual Studio Tools for Office (VSTO) add-ins can be abused by attackers to establish persistence in Microsoft Office applications by modifying registry keys.","title":"Persistence via Visual Studio Tools for Office (VSTO) Add-ins","url":"https://feed.craftedsignal.io/briefs/2024-01-vsto-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Office"],"_cs_severities":["medium"],"_cs_tags":["office","macro","registry","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eMicrosoft Office applications allow users and developers to manage macro security settings. Attackers can abuse these settings by modifying the registry to automatically trust macros or disable security warnings. This increases the likelihood of successful macro execution, potentially establishing persistence or enabling further malicious activities on the compromised system. The modifications specifically target the \u003ccode\u003eAccessVBOM\u003c/code\u003e and \u003ccode\u003eVbaWarnings\u003c/code\u003e registry values. This is a common tactic used to bypass security controls and execute malicious code within an organization, often as part of a phishing or spear phishing campaign.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious Office document containing VBA macros.\u003c/li\u003e\n\u003cli\u003eThe victim receives the malicious document via email or other means (T1566).\u003c/li\u003e\n\u003cli\u003eThe victim opens the document, potentially triggering a prompt to enable macros.\u003c/li\u003e\n\u003cli\u003eIf macros are enabled or trusted due to existing settings, the malicious VBA code executes (T1204.002).\u003c/li\u003e\n\u003cli\u003eThe VBA code modifies the Windows Registry to disable macro security warnings by setting \u003ccode\u003eHKEY_CURRENT_USER\\Software\\Microsoft\\Office\\*\\Security\\VbaWarnings\u003c/code\u003e to 1 or modifying \u003ccode\u003eAccessVBOM\u003c/code\u003e (T1112).\u003c/li\u003e\n\u003cli\u003eThe attacker can then use the trusted macro environment to execute arbitrary code (T1059.005).\u003c/li\u003e\n\u003cli\u003eThe attacker may establish persistence by creating scheduled tasks or modifying startup entries (T1547.001).\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, which may include data exfiltration, lateral movement, or deploying ransomware (TA0005, TA0002).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass Office macro security protections, potentially leading to arbitrary code execution and system compromise. Disabling macro security warnings increases the attack surface within an organization, as users are no longer prompted to approve macro execution, which can lead to further malware infection and data breaches. The rule is designed to detect registry changes that could enable this type of attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon registry event logging to detect the registry modifications described in this brief to trigger the detections (Sysmon Registry Events).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;MS Office Macro Security Registry Modifications\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eUse Group Policy Objects (GPOs) to centrally manage Office macro security settings and prevent users from modifying them (references).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule to determine the source of the registry modification and whether malicious macros were subsequently executed (rule description).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-office-macro-security-regmod/","summary":"Attackers may modify Microsoft Office registry settings related to macro security (AccessVBOM, VbaWarnings) to disable security warnings, enabling malicious macros for persistence and further compromise.","title":"MS Office Macro Security Registry Modifications","url":"https://feed.craftedsignal.io/briefs/2024-01-office-macro-security-regmod/"}],"language":"en","title":"CraftedSignal Threat Feed — Office","version":"https://jsonfeed.org/version/1.1"}