Critical Severity

Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability

Labels

Description

Attachment contains an external relationship that attempts to load a remote OLE object, consistent with use in CVE-2021-40444.

On September 7, 2021, Microsoft released details about a zero day RCE vulnerability in MSHTML that affects Microsoft Windows.

According to Microsoft: "we are aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents. An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine."

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444

https://twitter.com/buffaloverflow/status/1436261107329642522

https://twitter.com/jroosen/status/1435792491899494402

https://twitter.com/decalage2/status/1436433067619622916

https://www.reddit.com/r/crowdstrike/comments/pkb9wi/situational_awareness_cve202140444_mshtml_remote/

https://twitter.com/aaaddress1/status/1436393045939814400

Sublime Security

Created Aug 17th, 2023 • Last updated Aug 21st, 2023

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any(attachments,
        (
          (.file_extension in~ $file_extensions_macros or .file_extension =~ "rtf")
          and any(file.oletools(.).relationships, regex.icontains(.target, ".*html:http.*"))
        )
        or (
          .file_extension in~ $file_extensions_common_archives
          and any(file.explode(.),
                  .flavors.mime == "text/xml"
                  and any(.scan.strings.strings, regex.icontains(., ".*oleObject.*mhtml.*http.*"))
          )
        )
)

MQL Console

•

View MQL Guide

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.