ZeroDay in Microsoft Office exploited in NATO Summit

2 min readJul 17, 2023

Microsoft Office ZeroDay has been brought to notice recently at the NATO summit which if exploited can allow unauthenticated attackers to perform RCE (Remote Code Execution).

A phishing campaign which is carried out by the threat actor tracked as Storm-0978 that is targeting defense and government entities in Europe and North America. Storm-0978 also referred to as DEV-0978 is a Cybercriminal group based out of Russia which is known to carry out opportunistic ransomware and extortion-only operations as well as targeted credential-gathering campaigns. Storm-0978 operates, develops, and distributes the RomCom backdoor.

Storm-0978 email with a link to Microsoft Office document

The Vulnerability is in Microsoft Office which is still unpatched and attackers can exploit this vulnerability in highly complex environments requiring user interaction. The vulnerability is tracked as CVE-2023–36884.

Microsoft is aware of this series of vulnerabilities which affects multiple Windows and Office products that can be exploited using specially crafted Microsoft Office documents. An Attacker could create a specially-crafted Microsoft Office document that can be sent to the user after which the attacker needs to convince the user needs to click on the document and open it in order to perform RCE on the system.

Microsoft 365 Defender detects multiple stages of Storm-0978 activity.

Add the below to this registry key as values of type REG_DWORD with data 1:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION

· Excel.exe

· Graph.exe

· MSAccess.exe

· MSPub.exe

· PowerPoint.exe

· Visio.exe

· WinProj.exe

· WinWord.exe

· Wordpad.exe