Security Operations, SOC, Threat Management, Threat Intelligence, Vulnerability Management, Patch/Configuration Management, Government security

Microsoft Office bugs exploited by Russia-linked APT28

Warsaw, Poland - August 24, 2024: Microsoft logo on company head

(Adobe Stock)

Russia-linked advanced persistent threat (APT) group APT28 was linked to attacks on a high-severity bug in Microsoft Office.

In a Feb. 2 blog post, Zscaler ThreatLabz researchers said the campaign, tracked as Operation Neusploit, targeted countries in Central and Eastern Europe with active exploitation three days after Microsoft publicly disclosed and patched the flaw on Jan. 26.

The vulnerability — CVE-2026-21509 — has a 7.8 CVSS score and was described as a Microsoft Office bypass that could let an unauthorized attacker send a specially crafted Office file and trigger it.

Security experts noted that while the industry has trained to focus on critical flaws with scores above 9.0, social engineering makes it so security teams have to watch even the lesser-rated flaws.

“While a 7.8 CVSS score doesn't seem so bad on paper, APT28 has been able to chain a 7.8 rated exploit with social engineering and a near perfect delivery mechanism in Microsoft Office to create an extremely effective exploit,” said Andi Ursry, threat intelligence analyst at Blackpoint Cyber. “Office documents have been trusted, widely used and still frequently opened by users, making them an ideal and nearly perfect way for attackers to obtain initial access.”

Related reading:

Ursry added that the risk here isn't simply the potential vulnerability itself, but how easily an attacker such as APT28 can weaponize it at scale. If exploited, Ursry said this type of access can deliver full system compromise, result in data loss or allow for the deployment of disruptive malware.

“Security teams should focus their efforts on patching Office applications and restricting macro and script execution within Office when possible,” said Ursry. “Additionally, they should focus on detecting abnormal post-exploitation activity.”

Trey Ford, chief strategy and trust officer at Bugcrowd, added that the industry trains people to look for CVSS 9.0 and 10.0 scores and tends to get excited about only these critical class vulnerabilities — and that’s often tied to headlines.

“Attackers, especially those working in organized campaigns, are targeted, deliberate, and efficient in their use of medium and high vulns where the user is tricked or inspired into taking action — and that’s enough,” said Ford. "The key lesson we need to take from campaigns like this is that eternal vigilance is paramount. Users forget the trust, access, and power they have in the environment they have been entrusted with — it only takes one foothold for a far more complex attack to start.”

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Account HarvestingBackdoorBugBusiness Email Compromise (BEC)DNS SpoofingDisaster Recovery Plan (DRP)Distributed ScansDumpSecHybrid AttackMorris Worm

You can skip this ad in 5 seconds