Microsoft disclosed CVE-2026-21509, a security-feature-bypass in Microsoft Office that lets attacker-controlled document metadata short-circuit Kill Bit checks and cause instantiation of kill-bitted OLE/COM components, and it is confirmed to be actively exploited. APT28 has used targeted spearphishing with weaponized RTF/Word docs to deliver payloads such as MiniDoor and PixyNetLoader—leveraging Outlook VBA persistence, COM hijacking, scheduled tasks named OneDriveHealth, and steganographic staging to maintain access. #CVE-2026-21509 #APT28
Keypoints
- Microsoft announced CVE-2026-21509 as a Security Feature Bypass in Office that allows document-supplied metadata to influence trust decisions and bypass Kill Bit enforcement.
- The vulnerability is actively exploited in the wild and is listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, making immediate patching critical.
- APT28 used targeted spearphishing (weaponized RTF/Word attachments) to deliver initial access without relying on macros or user interaction beyond opening the file.
- Observed post-exploitation payloads include MiniDoor (an Outlook VBA email-harvesting dropper) and PixyNetLoader (a modular loader that uses COM hijacking, scheduled tasks, and steganographic shellcode staging).
- Persistence and stealth techniques include COM hijacking via InProcServer32 registry changes, a scheduled task named OneDriveHealth that restarts Explorer and self-deletes, and lowering Outlook macro security (SecurityLevel = 1).
- Detection and response guidance includes patching immediately, monitoring for suspicious Office child processes, scheduled task creation, COM registry changes, Outlook registry modifications, and the file artifacts dropped by PixyNetLoader.
MITRE Techniques
- [T1203 ] Exploitation for Client Execution – Office vulnerability exploited via specially crafted documents to achieve code execution and bypass protections (‘…specially crafted Office document, allowing attackers to bypass built-in security protections…’)
- [T1566.001 ] Phishing: Spearphishing Attachment – initial access delivered through targeted spearphishing emails with malicious RTF/Word attachments (‘…targeted Spearphishing emails…’)
- [T1546.013 ] Component Object Model Hijacking (COM Hijacking) – persistence by registering a malicious DLL under a known CLSID so a legitimate COM class loads attacker-controlled code (‘…modifies COM registry entries so that a legitimate COM class loads the attacker-controlled DLL…’)
- [T1053.005 ] Scheduled Task – persistence and execution via a scheduled task named OneDriveHealth that launches the loader and uses restart/cleanup routines (‘The Windows scheduled task is named OneDriveHealth…’)
- [T1112 ] Modify Registry – attackers modify registry values to weaken Outlook macro protections and to create/alter COM registry mappings used for persistence (‘…modifies the following Outlook registry settings to weaken macro security controls…’)
- [T1574.002 ] DLL Side-Loading / Hijack Execution Flow – attacker retrieves and loads malicious DLLs (and uses loader DLLs) to execute code without obvious binaries (‘…silently retrieve a malicious DLL from attacker-controlled infrastructure…’)
- [T1027.004 ] Steganography – concealing encrypted shellcode inside an image file used by PixyNetLoader to stage and execute payloads (‘…an image file that contains encrypted shellcode concealed using steganography.’)
Indicators of Compromise
- [File Name ] payloads and staging artifacts – EhStoreShell.dll, VbaProject.OTM (and other loader/staging files such as SplashScreen.png, office.xml)
- [Scheduled Task Name ] persistence indicator – OneDriveHealth – scheduled task used to launch loader and perform restart/cleanup activity
- [Registry / CLSID ] COM hijack and Outlook settings – InProcServer32 mappings pointing to ProgramDataEhStoreShell.dll, Outlook SecurityLevel set to 1
- [File Paths ] typical drop/staging locations – ProgramDataEhStoreShell.dll, %TEMP%SplashScreen.png
- [Process Names ] suspicious child processes spawned by Office during exploitation – rundll32.exe, schtasks.exe (also cmd.exe, powershell.exe observed)
- [Document Types ] initial delivery artifacts – weaponized RTF and Word documents (specific filenames not provided in article)
- [Domains ] payload/C2 hosting – attacker-controlled infrastructure / “known malicious domains” referenced in the report (no specific domain names provided in article)