On Tuesday, September 7, 2021, Microsoft published the warning of a zero-day flaw in MSHTML (severity rating 8.8/10). Currently, the CVE-2021-40444 vulnerability is actively exploited to deliver Cobalt Stike payloads in targeted attacks via purpose-built Microsoft Office documents and impacts Internet Explorer users. With a malicious document, a victim receives a malicious ActiveX control. If the attacker convinces the victim to download the file and bypass mitigations, the malicious file will be downloaded and run on the victimized machine.
The remote code execution flaw is executed via MSHTML (aka Trident) which is the proprietary browser engine for the now-discontinued Internet Explorer. Also, MSHTML is used in Microsoft Office to render web content inside Word, Excel, and PowerPoint documents.
Explore detection content available for SIEM & XDR solutions to stay protected against possible CVE-2021-40444 exploitation.