It exploits a zero-day vulnerability in the logic of the software relating to OLE (Object Linking and Embedding), which allows documents to embed links and references to objects or other documents.
When malicious documents containing this exploit are opened, they ping an external server and download an HTA file (web server file, like HTAccess), which is disguised as a simple rich text document (RTF).
If the attack is successfully executed, the original Word file is closed, and a fake embedded document is displayed to distract the user. In the background, whatever malware thehackers want installed is being set up on the user’s PC.
There’s no limit to the amount of damage this attack can cause. It’s entirely dependent on what the hackers want to install. Keyloggers, ransomware or anything else they can dream up, and unfortunately, due to the nature of the attack, it’s virtually undetectable.
The two security companies pooled their research and have brought their findings to the attention of Microsoft, which is slated to release a regular security update later this month. At this time, it is not known whether the security update will contain a fix for this particular vulnerability, or if we’ll be seeing a special update that addresses it specifically.
In the meantime, it’s more important than ever to remind your employees not to open any file they receive from an unknown or untrusted source. Even if the source is trusted, a good second step would be to pick up the phone and voice verify that the attachment is legitimate.