There is a zero day (CVE-2022-30190 Follina) with Microsoft Office, which with an appropriately crafted MS office document such as word or excel (and the rest) will allow a remote attacked to gain access to your computer. It uses an inbuilt MS support URL to execute commands.
It looks like there will be some time before this security bug is fixed, so to avoid being attacked there are some immediate things you should consider doing:
- Make sure you email service will attempt to find these email attachments and block them
- If you have a good AV it should detect and block this.
- Hardening steps (where possible) to block executables spawned from office programs.
- Hardening steps (where possible) to block network access for office programs.
- Users have been trained to preview suspicious files in gmail before downloading to confirm it is actually needed.
- Patch security vulnerability as soon as available
- Block / Quarantine all email with office attachments until the patch is available
- Remove the use of URL protocol “ms-msdt:” by deleting HKEY_CLASSES_ROOT\ms-msdt
Reach out to us if you need any assistance applying these or other protections.
