Microsoft Zero Days: The Urgency of Patching and Continuous Security Training

Luring unsuspecting users to open Microsoft Office documents to deliver malware is as old as the internet.

A recent zero-day (CVE-2023-36884) offers attackers an opportunity to bypass existing defenses in Microsoft Office - in particular, Mark of the Web (MOTW) protection which make it harder to run unverified attachments.

The zero-day, exploited even before disclosure since at least June 2023, has now been patched as part of the August Patch Tuesday release (notice how months are now elapsing between active exploitation, patching and distribution).

The zero-day is currently heavily exploited in the wild (as more threat actors pick it up), mostly via email messages asking users to open Word documents either attached or linked within the email (see an early example email screenshot below).

As always, prompt patching but also continuous security awareness training (SAT) campaigns for employees, lest they drop their guard - is a must for all organizations. In this case, attackers were using a recurring social engineering technique: create a sense of urgency around a well known topic or event.

More on the vulnerability, as well as the tactics and techniques used by the threat actor: Microsoft's blog post.