Since the release of this vulnerability, security researchers have taken to Twitter to warn how dangerous it is even though Microsoft Office’s ‘Protected View’ feature will block the exploit.
When Office opens a document it checks if it is tagged with a “Mark of the Web” (MoTW), which means it originated from the Internet.
If this tag exists, Microsoft will open the document in read-only mode, effectively blocking the exploit unless a user clicks on the ‘Enable Editing’ buttons.
As the “Protected View” feature mitigates the exploit, bleepingcomputer reached out to Will Dormann, a vulnerability analyst for CERT/CC, to learn why security researchers are so concerned about this vulnerability.
Dormann told BleepingComputer that even if the user is initially protected via Office’s ‘Protected View’ feature, history has shown that many users ignore this warning and click on the ‘Enable Editing’ button anyway.
Dormann also warns that there are numerous ways for a document not to receive the MoTW flag, effectively negating this defense.
Cobalt Strike is also used in the attack path closer to the end of chain of the attack.