High Severity

Attachment: CVE-2023-21716 - Microsoft Office Remote Code Execution Vulnerability

Labels

Description

Attachment contains an RTF file with a font table defining an excessive number of fonts, used to exploit CVE-2023-21716.

References

https://delivr.to/payloads?id=0a465e03-82a7-42c1-9ded-b0b6b046c86d

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716

https://twitter.com/jduck/status/1632471544935923712

https://github.com/gyaansastra/CVE-2023-21716

Sublime Security

Created Aug 17th, 2023 • Last updated Jan 12th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any(attachments,
        (
          .file_extension in~ ("rtf", "doc", "docx")
          or .file_extension in~ $file_extensions_common_archives
          or .file_extension in~ $file_extensions_macros
          or (
            .file_extension is null
            and .file_type == "unknown"
            and .content_type == "application/octet-stream"
            and .size < 100000000
          )
        )
        and any(file.explode(.),
                any(.scan.strings.strings, strings.ilike(., '*\fonttbl*'))
                and length(filter(.scan.strings.strings,
                                  strings.ilike(., '{\f*;}')
                           )
                ) > 10000
        )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.