https://feed.craftedsignal.io/tags/office/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 15 Apr 2026 12:00:00 +0000https://feed.craftedsignal.io/briefs/2026-04-cve-2026-23657-word-uaf/Wed, 15 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-cve-2026-23657-word-uaf/CVE-2026-23657 is a use-after-free vulnerability in Microsoft Office Word allowing a local attacker to execute arbitrary code with user privileges.On April 14, 2026, CVE-2026-23657 was published, detailing a use-after-free vulnerability affecting Microsoft Office Word. This vulnerability allows an attacker with local access to execute arbitrary code on a vulnerable system. Successful exploitation requires user interaction, as the victim must open a specially crafted Word document. Due to the nature of use-after-free vulnerabilities, attackers can potentially achieve arbitrary code execution by manipulating memory allocation after a pointer to freed memory is dereferenced. This poses a significant threat to organizations as successful exploitation can lead to data theft, system compromise, and further lateral movement within the network. The vulnerability has a CVSS v3.1 score of 7.8, indicating a high severity.

Attack Chain

1. Attacker crafts a malicious Microsoft Word document designed to trigger the use-after-free vulnerability (CVE-2026-23657).
2. The attacker delivers the malicious document to the victim, likely via email or shared file storage.
3. The victim opens the malicious document in Microsoft Word.
4. The crafted document exploits a weakness in memory management, freeing a memory region while a pointer to it is still in use.
5. The attacker leverages the use-after-free condition to overwrite the freed memory with attacker-controlled data.
6. Upon dereferencing the dangling pointer, the corrupted data is executed, leading to code execution.
7. The attacker executes arbitrary code within the context of the user running Microsoft Word.
8. The attacker may then install malware, steal sensitive information, or establish a persistent foothold on the compromised system.

Impact

Successful exploitation of CVE-2026-23657 allows an attacker to execute arbitrary code on a vulnerable system with the privileges of the user running Microsoft Word. This can lead to the installation of malware, theft of sensitive data, and further compromise of the system and network. The impact of this vulnerability is significant, as Microsoft Word is widely used in organizations of all sizes, making it a valuable target for attackers. The potential for arbitrary code execution elevates this vulnerability to a high-risk level, demanding immediate attention from security teams.

Recommendation

• Apply the patch released by Microsoft to address CVE-2026-23657 on all systems running Microsoft Office Word. (Reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23657)
• Deploy the Sigma rule Detect Suspicious Word Child Process to detect potentially malicious processes spawned by Microsoft Word.
• Enable process creation logging to capture process execution events, ensuring the Sigma rule has the necessary data to function.

]]>highadvisoryuse-after-freecode-executionofficecve-2026-23657https://feed.craftedsignal.io/briefs/2024-01-suspicious-wmi-image-load/Tue, 09 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-suspicious-wmi-image-load/Adversaries may exploit Windows Management Instrumentation (WMI) to execute code stealthily, bypassing traditional security measures by loading `wmiutils.dll` from Microsoft Office applications, potentially indicating malicious execution.This detection rule identifies suspicious image loading of wmiutils.dll from Microsoft Office processes (WINWORD.EXE, EXCEL.EXE, POWERPNT.EXE, MSPUB.EXE, MSACCESS.EXE). Adversaries can use this technique to execute code and evade traditional parent/child processes spawned from Microsoft Office products. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI).

Attack Chain

1. User opens a malicious Microsoft Office document (e.g., Word, Excel).
2. The document contains a macro or exploit that triggers the execution of WMI commands.
3. The Office application spawns a WMI process or utilizes existing WMI infrastructure.
4. The WMI process loads the wmiutils.dll library, which is unusual for normal Office operations.
5. The WMI commands execute malicious code, potentially downloading or executing further payloads.
6. The attacker establishes persistence through WMI event subscriptions or other methods.
7. The attacker performs lateral movement using WMI to execute commands on other systems.

Impact

Successful exploitation allows attackers to execute arbitrary code, establish persistence, and move laterally within the network, potentially leading to data exfiltration, system compromise, or ransomware deployment. While the number of victims is unknown, this technique can be used in targeted attacks against organizations that heavily rely on Microsoft Office applications.

Recommendation

• Deploy the Sigma rule “Suspicious WMI Image Load from MS Office” to your SIEM and tune for your environment.
• Enable Sysmon event ID 7 (Image Loaded) logging for comprehensive image load monitoring as suggested in the setup instructions.
• Monitor process creation events for Microsoft Office applications spawning WMI-related processes (e.g., wbemtest.exe, wmic.exe) to detect potential WMI abuse.
• Implement network segmentation to limit lateral movement in case of a successful WMI-based attack.

]]>mediumadvisorywmiimage loadofficeexecutionhttps://feed.craftedsignal.io/briefs/2024-01-vsto-persistence/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-vsto-persistence/The Visual Studio Tools for Office (VSTO) add-ins can be abused by attackers to establish persistence in Microsoft Office applications by modifying registry keys.Attackers can leverage Visual Studio Tools for Office (VSTO) add-ins to establish persistence within Microsoft Office applications. VSTO add-ins, designed to extend the functionality of Office applications, can be manipulated by threat actors to execute malicious code upon application startup. By modifying specific registry keys associated with VSTO add-ins, adversaries can ensure their code is loaded and executed each time an Office application is launched. This technique allows for covert and persistent access to compromised systems, enabling further malicious activities such as data exfiltration, lateral movement, or the deployment of additional payloads. The detection of this persistence mechanism is crucial for defenders to identify and mitigate potential compromises within their environment.

Attack Chain

1. Attacker gains initial access to the target system via unspecified means (e.g., phishing, exploiting a vulnerability).
2. The attacker identifies the registry keys associated with VSTO add-ins for Office applications (Outlook, Word, Excel, PowerPoint). These keys are typically located under \Software\Microsoft\Office\[Application]\Addins\.
3. The attacker modifies the registry to add or modify entries related to a malicious VSTO add-in. This involves setting the LoadBehavior value to 3 to ensure the add-in is loaded on startup.
4. The attacker places the malicious VSTO add-in files (DLLs) in a location accessible to the Office application.
5. The attacker may also modify the \Software\Microsoft\VSTO\Security\Inclusion\ registry key to bypass security warnings related to unsigned add-ins.
6. The user launches the targeted Office application (e.g., Outlook).
7. The Office application loads the malicious VSTO add-in based on the modified registry entries.
8. The malicious VSTO add-in executes its payload, enabling the attacker to perform malicious activities on the system.

Impact

Successful exploitation allows attackers to achieve persistent code execution within Microsoft Office applications. This can lead to the compromise of sensitive data, the deployment of additional malware, and the establishment of a long-term foothold within the targeted environment. The scope of impact depends on the privileges of the user account and the capabilities of the malicious VSTO add-in. Since Office applications are commonly used, a successful attack could potentially affect a large number of users within an organization.

Recommendation

• Deploy the Sigma rule Potential Persistence Via Visual Studio Tools for Office to your SIEM to detect suspicious registry modifications related to VSTO add-ins.
• Monitor registry modifications under the paths \Software\Microsoft\Office\Outlook\Addins\, \Software\Microsoft\Office\Word\Addins\, \Software\Microsoft\Office\Excel\Addins\, \Software\Microsoft\Office\Powerpoint\Addins\, and \Software\Microsoft\VSTO\Security\Inclusion\ (see Sigma rule and references).
• Implement application control policies to restrict the execution of unsigned or untrusted VSTO add-ins.
• Regularly review and audit installed Office add-ins to identify and remove any suspicious or unauthorized extensions.

]]>mediumadvisorypersistenceofficevstohttps://feed.craftedsignal.io/briefs/2024-01-office-macro-security-regmod/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-office-macro-security-regmod/Attackers may modify Microsoft Office registry settings related to macro security (AccessVBOM, VbaWarnings) to disable security warnings, enabling malicious macros for persistence and further compromise.Microsoft Office applications allow users and developers to manage macro security settings. Attackers can abuse these settings by modifying the registry to automatically trust macros or disable security warnings. This increases the likelihood of successful macro execution, potentially establishing persistence or enabling further malicious activities on the compromised system. The modifications specifically target the AccessVBOM and VbaWarnings registry values. This is a common tactic used to bypass security controls and execute malicious code within an organization, often as part of a phishing or spear phishing campaign.

Attack Chain

1. The attacker crafts a malicious Office document containing VBA macros.
2. The victim receives the malicious document via email or other means (T1566).
3. The victim opens the document, potentially triggering a prompt to enable macros.
4. If macros are enabled or trusted due to existing settings, the malicious VBA code executes (T1204.002).
5. The VBA code modifies the Windows Registry to disable macro security warnings by setting HKEY_CURRENT_USER\Software\Microsoft\Office\*\Security\VbaWarnings to 1 or modifying AccessVBOM (T1112).
6. The attacker can then use the trusted macro environment to execute arbitrary code (T1059.005).
7. The attacker may establish persistence by creating scheduled tasks or modifying startup entries (T1547.001).
8. The attacker achieves their final objective, which may include data exfiltration, lateral movement, or deploying ransomware (TA0005, TA0002).

Impact

Successful exploitation allows attackers to bypass Office macro security protections, potentially leading to arbitrary code execution and system compromise. Disabling macro security warnings increases the attack surface within an organization, as users are no longer prompted to approve macro execution, which can lead to further malware infection and data breaches. The rule is designed to detect registry changes that could enable this type of attack.

Recommendation

• Enable Sysmon registry event logging to detect the registry modifications described in this brief to trigger the detections (Sysmon Registry Events).
• Deploy the Sigma rule “MS Office Macro Security Registry Modifications” to your SIEM and tune for your environment.
• Use Group Policy Objects (GPOs) to centrally manage Office macro security settings and prevent users from modifying them (references).
• Investigate any alerts generated by this rule to determine the source of the registry modification and whether malicious macros were subsequently executed (rule description).

]]>mediumadvisoryofficemacroregistrydefense-evasionwindows