Frequently Asked Questions

Microsoft Office Online Video Vulnerability & Mitigation

What is the Microsoft Office Online Video vulnerability discovered by Cymulate?

Cymulate's research team discovered a way to abuse the Online Video feature in Microsoft Word to execute malicious code. Attackers can embed a video in a Word document, modify the document's XML to include a crafted payload, and trigger code execution via Internet Explorer Download Manager—without any security warning when opening the document in Word. (Source, April 20, 2025)

How does the attack using Microsoft Office Online Video work?

The attack involves embedding an online video in a Word document, unpacking the .docx file, editing the document.xml file to replace the embedded video link with malicious HTML/JavaScript, and repackaging the document. When opened, the payload triggers Internet Explorer Download Manager to download or run an executable, all without a security warning. (Source)

What mitigation steps are recommended for the Microsoft Office Online Video vulnerability?

Mitigation options include blocking Word documents containing the tag "embeddedHtml" in the document.xml file and implementing a YARA rule to detect such abuse. Additionally, blocking Word documents with embedded videos can serve as a workaround. (Source)

Is there a YARA rule available to detect this vulnerability?

Yes, Cymulate provides a YARA rule named EMBEDDEDHTML_WITH_SCRIPT to detect possible abuse of Office video embeddedHtml. The rule checks for suspicious embeddedHtml parameters containing script tags in Word documents. (Source)

What is the recommended workaround if blocking embeddedHtml is not possible?

If blocking embeddedHtml is not feasible, a recommended workaround is to block all Word documents containing embedded videos. This reduces the attack surface for this specific vulnerability. (Source)

Was this vulnerability seen in the wild?

Yes, as of November 12th, 2018, Trend Micro discovered an in-the-wild sample of this logical bug (TROJ_EXPLOIT.AOOCAI) used to deliver the URSNIF information stealer (TSPY_URSNIF.OIBEAO). (Source)

Does Microsoft Word display a security warning when opening a document exploiting this vulnerability?

No, there is no security warning presented when opening a document exploiting this vulnerability in Microsoft Word. (Source)

Where can I find the official press release about this vulnerability?

The official press release about Cymulate's discovery of this Microsoft Office vulnerability is available at BusinessWire.

How can I test the effectiveness of my security controls against this type of threat?

You can test your security controls against threats like this by booking a demo of Cymulate's Exposure Validation platform at https://cymulate.com/schedule-a-demo/.

Who conducted the research on the Microsoft Office Online Video vulnerability?

The research was conducted by Cymulate's research team, with Ruben Jami, Director of Product Management at Cymulate, contributing to the findings. (Source)

Features & Capabilities

What is Cymulate Exposure Validation?

Cymulate Exposure Validation is a platform that enables advanced security testing through automated real-world attack simulations. It helps organizations identify vulnerabilities, validate security controls, and improve threat resilience. (Source)

What are the key capabilities of Cymulate's platform?

Cymulate offers continuous threat validation, breach and attack simulation (BAS), continuous automated red teaming (CART), exposure analytics, attack path discovery, automated mitigation, and cloud validation. These features help organizations stay ahead of emerging risks and optimize their security posture. (Source)

Does Cymulate support integration with other security tools?

Yes, Cymulate integrates with a wide range of security technologies, including Akamai Guardicore, AWS GuardDuty, BlackBerry Cylance OPTICS, Carbon Black EDR, Check Point CloudGuard, Cisco Secure Endpoint, CrowdStrike Falcon, Wiz, and more. For a full list, visit the Partnerships and Integrations page.

How does Cymulate help with exposure prioritization and remediation?

Cymulate automates threat validation and prioritization by ranking vulnerabilities based on exploitability, business context, and threat intelligence. This enables organizations to focus remediation efforts on the most critical exposures. (Source)

What technical documentation is available for Cymulate?

Cymulate provides whitepapers, guides, data sheets, solution briefs, and reports covering topics like exposure management, email threat validation, detection engineering, vulnerability management, and more. Access these resources at the Resource Hub.

How easy is Cymulate to implement and use?

Cymulate is designed for quick, agentless deployment with no need for additional hardware or complex configurations. Customers can start running simulations almost immediately, and the platform is praised for its user-friendly interface and accessible support. (Source)

What feedback have customers given about Cymulate's ease of use?

Customers consistently praise Cymulate for its intuitive, user-friendly platform. For example, Raphael Ferreira, Cybersecurity Manager at Banco PAN, said, "Cymulate is easy to implement and use—all you need to do is click a few buttons, and you receive a lot of practical insights into how you can improve your security posture." (Source)

What security and compliance certifications does Cymulate hold?

Cymulate is SOC2 Type II certified and complies with ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1. The platform is also GDPR compliant and hosted in secure AWS data centers. (Source)

How does Cymulate ensure data security and privacy?

Cymulate incorporates data protection by design, with a dedicated privacy and security team, including a DPO and CISO. Data is encrypted in transit (TLS 1.2+) and at rest (AES-256), and the platform is developed using a secure SDLC with regular third-party penetration tests. (Source)

Pain Points & Use Cases

What core problems does Cymulate solve for security teams?

Cymulate addresses overwhelming threat volumes, lack of visibility, unclear risk prioritization, operational inefficiencies, fragmented tools, cloud complexity, and communication barriers by providing continuous threat validation, exposure prioritization, and automation. (Source)

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, security leaders, SecOps teams, red teams, and vulnerability management teams in organizations across industries such as media, transportation, and financial services. (Source)

How does Cymulate address the pain points of different personas?

Cymulate tailors its solutions for CISOs (providing metrics and insights), SecOps (automating processes), red teams (offensive testing with a large attack library), and vulnerability management teams (prioritizing exposures). (Source)

What measurable business impact can Cymulate deliver?

Customers have reported an 81% reduction in cyber risk within four months, a 60% increase in team efficiency, 40X faster threat validation, a 30% improvement in threat prevention, and a 52% reduction in critical exposures. (Source)

What is the primary purpose of Cymulate's platform?

The primary purpose is to harden defenses and optimize security controls by proactively validating controls, threats, and response capabilities, focusing on exploitable exposures. (Source)

How does Cymulate help with cloud security validation?

Cymulate provides dedicated validation features for hybrid and cloud environments, integrating with cloud security tools like AWS GuardDuty, Check Point CloudGuard, and Wiz. (Source)

Where can I find Cymulate's blog and newsroom for the latest updates?

You can read Cymulate's blog at https://cymulate.com/blog/ and access the newsroom at https://cymulate.com/news/ for media mentions and press releases.

Competition & Comparison

How does Cymulate compare to AttackIQ?

Cymulate offers the industry's leading threat scenario library and AI-powered capabilities for workflow automation and security posture improvement. AttackIQ provides automated security validation but lacks Cymulate's innovation, threat coverage, and ease of use. (Source)

What differentiates Cymulate from Mandiant Security Validation?

Mandiant Security Validation is one of the original BAS platforms but has seen minimal innovation in recent years. Cymulate continually innovates with AI and automation, expanding into exposure management and maintaining grid leader status. (Source)

How does Cymulate compare to Pentera?

Pentera focuses on attack path validation but lacks the depth Cymulate provides for full kill chain and cloud control validation. Cymulate offers comprehensive exposure validation and a broader range of capabilities. (Source)

What makes Cymulate different from Picus Security?

Picus Security is suitable for those seeking an on-premise BAS vendor, while Cymulate is a complete exposure validation platform with full kill chain and cloud control validation. (Source)

How does Cymulate compare to SafeBreach?

Cymulate outpaces SafeBreach with unmatched innovation, precision, and automation, offering the industry's largest attack library and a full CTEM solution. (Source)

What are the advantages of Cymulate for different user segments?

CISOs benefit from quantifiable metrics, SecOps from automation and efficiency, red teams from a large attack library, and vulnerability management teams from consolidated, prioritized exposure insights. (Source)

Pricing & Plans

What is Cymulate's pricing model?

Cymulate uses a subscription-based pricing model tailored to each organization's needs. Pricing depends on the package, number of assets, and scenarios selected. For a quote, schedule a demo with the Cymulate team.

Company Information & Resources

What is Cymulate's mission and vision?

Cymulate's mission is to empower organizations to manage their security posture proactively, providing an Exposure Management Platform to prove threats and improve resilience. (Source)

How large is Cymulate and what is its global reach?

Cymulate was founded in 2016 and serves over 1,000 customers in 50 countries, with offices in 8 locations worldwide. (Source)

Where can I find Cymulate's technical resources and documentation?

Technical resources, including whitepapers, guides, and data sheets, are available at the Cymulate Resource Hub.

How often is Cymulate's SaaS platform updated?

Cymulate updates its SaaS platform every two weeks, adding new features such as AI-powered SIEM rule mapping and advanced exposure prioritization. (Source)

Cymulate named a Customers' Choice in 2025 Gartner® Peer Insights™
Learn More
New Case Study: Credit Union Boosts Threat Prevention & Detection with Cymulate
Learn More
New Research: Cymulate Research Labs Discovers Token Validation Flaw
Learn More
An Inside Look at the Technology Behind Cymulate
Learn More
Book a Demo
Book a Demo

Abusing Microsoft Office Online Video

By: Ruben Jami

Last Updated: April 20, 2025

cymulate blog article

**Updated Note: As of November 12th, 2018, Trend Micro has discovered an in-the-wild sample of this logical bug seen in the TROJ_EXPLOIT.AOOCAI, using it  to deliver the URSNIF information stealer (TSPY_URSNIF.OIBEAO).**

Cymulate’s research team has discovered a way to abuse the Online Video feature on Microsoft Word to execute malicious code (Read the press release here).

Attackers could use this for malicious purposes such as phishing, as the document will show the embedded online video with a link to YouTube, while disguising a hidden html/javascript code that will be running in the background and could potentially lead to further code execution scenarios.

This attack is carried out by embedding a video inside a Word document, editing the XML file named document.xml, replacing the video link with a crafted payload created by the attacker which opens Internet Explorer Download Manager with the embedded code execution file.

A workflow of how this security flaw could be produced:

1. Create a Word Document.

2. Embed an online video: Insert -> online video and add any YouTube video.

3. Save the Word document with the embedded online video.

4. Unpack the Word document:

Docx files are actually a package of all the media files that you may see in a docx file. If you unpack the file – either by using an unpacker or changing the docx extension to zip and unzipping it – there are several files and directories in a single docx file:

5. Edit the document.xml file under word folder

6. Inside the .xml file, look for embeddedHtml parameter (under WebVideoPr) which contains the Youtube iframe code. Replace the current iframe code with any html code / javascript to be rendered by Internet Explorer.

7. Save the changes in document.xml file, update the docx package with the modified xml and open the document.

We’ve created a PoC that contains the embedded executable (as a blob of a base64). Once run, this code will use the msSaveOrOpenBlob method to trigger the download of the executable by opening Internet Explorer Download Manager with the option to run or save the file.

Please note: No security warning is presented while opening this document with Microsoft Word.

Mitigation

You can choose from the following options.

1. Block Word documents containing the tag: “embeddedHtml” in the Document.xml file of the word documents.

**Updated Mitigation: As of November 12th, 2018**

2. Implement the filter with the YARA rule.

This solution was provided by Trend Micro™ XGen™ security.

rule EMBEDDEDHTML_WITH_SCRIPT {
meta:
description = “possible abuse of Office video embededHtml”
strings:
$embeddedHtmlre1 = /\sembeddedHtml=”[^”]+/
$embeddedHtmlre2 = /\sembeddedHtml='[^’]+/
$script = “<script” nocase
condition:
(
for any i in (1..#embeddedHtmlre1): (
for any j in (1..#script): (
@embeddedHtmlre1[i] < @script[j] and
@script[j] < @embeddedHtmlre1[i] + !embeddedHtmlre1[i]
)
)
)
or
(
for any i in (1..#embeddedHtmlre2): (
for any j in (1..#script): (
@embeddedHtmlre2[i] < @script[j] and
@script[j] < @embeddedHtmlre2[i] + !embeddedHtmlre2[i]
)
)
)

Workaround

Block Word documents containing an embedded video.

Test the effectiveness of your security controls against possible cyber threats - book a demo to see Cymulate's platform in action.

image
Ruben Jami
Ruben Jami is the Director of Product Management at Cymulate and has spent 8 years here helping organizations optimize their cybersecurity controls.
More about Author
Table of Contents
Mitigation Workaround
Cymulate Exposure Validation makes advanced security testing fast and easy. When it comes to building custom attack chains, it's all right in front of you in one place.
Mike Humbert, Cybersecurity Engineer
DARLING INGREDIENTS INC.
Learn More

Featured Resources

View More Resources
image
blog

Path Traversal Vulnerability in AWS SSM Agent's Plugin ID Validation 

AWS SSM Agent flaw lets attackers exploit plugin IDs to run root-level scripts via path traversal.

Read More
cymulate blog article
blog

Protect Your Network from Unauthorized Access: 6 Security Controls Every CISO Needs in 2026

A breakdown of unauthorized access threats and essential controls to strengthen prevention and detection.

Read More
2025 Gartner® Market Guide for Adversarial Exposure Validation 
Report

2025 Gartner® Market Guide for Adversarial Exposure Validation 

Read Gartner’s 2025 guide on adversarial exposure validation featuring Cymulate as a vendor.

Learn More

GET A PERSONALIZED DEMO

Ready to see Cymulate in action?

Book a Demo