Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability
Attachment contains an external relationship that attempts to load a remote OLE object, consistent with use in CVE-2021-40444.
On September 7, 2021, Microsoft released details about a zero day RCE vulnerability in MSHTML that affects Microsoft Windows.
According to Microsoft: "we are aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents. An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine."
type.inbound and any(attachments, ( (.file_extension in~ $file_extensions_macros or .file_extension =~ "rtf") and any(file.oletools(.).relationships, regex.icontains(.target, ".*html:http.*")) ) or ( .file_extension in~ $file_extensions_common_archives and any(file.explode(.), .flavors.mime == "text/xml" and any(.scan.strings.strings, regex.icontains(., ".*oleObject.*mhtml.*http.*")) ) ) )
Test against your own EMLs or sample data.
Get Started. Today.
Managed or self-managed. No MX changes.