• Sublime Core Feed
Critical Severity

Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability

Labels

Malware/Ransomware
Exploit
Macros
Scripting
Archive analysis
Content analysis
File analysis
Macro analysis
OLE analysis

Description

Attachment contains an external relationship that attempts to load a remote OLE object, consistent with use in CVE-2021-40444.

On September 7, 2021, Microsoft released details about a zero day RCE vulnerability in MSHTML that affects Microsoft Windows.

According to Microsoft: "we are aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents. An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine."

References

Sublime Security
Created Aug 17th, 2023 • Last updated Dec 19th, 2023
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(attachments,
        (
          (
            .file_extension in~ $file_extensions_macros 
            or .file_extension =~ "rtf"
            or (
              .file_extension is null
              and .file_type == "unknown"
              and .content_type == "application/octet-stream"
              and .size < 100000000
            )
          )
          and any(file.oletools(.).relationships, regex.icontains(.target, ".*html:http.*"))
        )
        or (
          .file_extension in~ $file_extensions_common_archives
          and any(file.explode(.),
                  .flavors.mime == "text/xml"
                  and any(.scan.strings.strings, regex.icontains(., ".*oleObject.*mhtml.*http.*"))
          )
        )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started