A high-severity (CVSS 7.8) security feature bypass in Microsoft Office is being actively exploited in the wild, with a public PoC already available and the vuln now on CISA's KEV catalog. Root cause is unvalidated input handling (CWE-807) that allows malicious OLE/COM objects in crafted documents to bypass built-in protections. Attack vector is local with no privileges required — just a user opening a phishing-delivered Office file. Affects Office 2016, 2019, LTSC 2021/2024, and Microsoft 365 Apps on x86/x64. Microsoft dropped an out-of-band emergency patch on January 26, 2026. Office 2016/2019 also require a registry-based mitigation. Confirmed targeting of government agencies, critical infrastructure, and maritime/transport sectors.

• MicroStealer exposes a broader business risk by stealing browser credentials, active sessions, and other sensitive data tied to corporate access.
• The malware uses a layered NSIS → Electron → JAR chain that helps it stay unclear longer and slows confident detection.
• Distribution through compromised or impersonated accounts makes the initial infection look more trustworthy to victims.

Update (March 13, 2026):

Several major developments since this was posted:

1. Packet Storm Security — Advisory published: https://packetstorm.news/files/id/217089

2. Apple Product Security — Confirmed forwarding to investigation team (Ticket OE01052449093014). Apple is actively investigating Alipay iOS app.

3. Google Play — Policy violation investigation confirmed (Case #9-7515000040640).

4. Singapore PDPC — Formal investigation opened (Case #00629724).

5. HKCERT — Forwarded report to CNCERT (China National CERT).

6. MITRE CVE — 6 CVEs pending (Ticket #2005801), CVSS 7.4–9.3.

Vendor (Ant Group) continues to maintain these are "normal functionality" and has issued no patch.

Full report: https://innora.ai/zfb/