A Microsoft word security warning is circulating that describes how bad actors are using it as a new way of executing mailcoud PowerShell on devices. There is currently no fix from Microsoft.
Announced May 27th, this document uses a word template feature to retrieve an HTML file from a remote server, which uses the ms-msdt MSProtocol URI scheme to load some code and execute some Powershell.
This happens as soon as the document is loaded, even if macros are disabled. It can even run using the preview features of explorer.
The good news is that antivirus vendors are adding signatures for these files and many can detect it, but only if your antivirus is up to date as of May 30, 2022.
You are advised to not open or preview documents attached to unsolicited emails, or unexpected documents received in an email. If you are unsure, you can submit the document to http://www.virustotal.com for analysis without opening the document with Word.
Regards,
Daniel Weatherly
Director of Security Services
501-801-6706
