Fancy Bear Exploits Microsoft Office Flaw in Ukraine, EU Cyber-Attacks
Summary:
The vulnerability, CVE-2026-21509 (CVSS 7.8), involves an over-reliance on untrusted inputs that allows attackers to bypass Object Linking and Embedding (OLE) mitigations. In recent campaigns identified by CERT-UA, Fancy Bear distributed malicious Word documents (such as Consultation_Topics_Ukraine(Final)[.]doc) via phishing emails. These files trigger a network connection via the WebDAV protocol to download an LNK file, which then uses COM hijacking (specifically targeting EhStoreShell[.]dll) to execute shellcode. The final payload is the Covenant framework, a .NET-based command-and-control (C2) tool used for persistence and further exploitation.
Security Officer Comments:
This activity represents a significant threat to global organizations because it demonstrates a rapid "disclosure-to-weaponization" cycle; Fancy Bear deployed the exploit just one day after Microsoft’s disclosure.
While the current focus is on Ukrainian executive authorities and EU diplomatic entities (COREPER), the vulnerability affects standard versions of Microsoft Office 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps.
Because the exploit chain utilizes legitimate cloud storage services like Filen for its C2 infrastructure, it can easily bypass traditional network security filters that don't inspect traffic to reputable cloud providers. Any organization globally that lags in its monthly patching cycle or relies on default OLE/COM configurations is at risk of being targeted by similar state-sponsored "living-off-the-cloud" techniques.
Suggested Corrections:
The primary defense against this threat is the immediate application of Microsoft’s security updates released in late January 2026.
For organizations running Office 2016 and 2019, manual installation is required, whereas Office 2021 and later receive service-side updates that necessitate an application restart to take effect.
Beyond patching, administrators should implement the Windows registry configurations recommended in Microsoft’s advisory to reinforce OLE mitigations and consider blocking or strictly monitoring network traffic to the Filen cloud storage service if there is no legitimate business need for it.
Additionally, organizations should employ endpoint detection and response (EDR) tools to monitor for suspicious process behavior, such as the unexpected restart of explorer[.]exe or the unauthorized loading of EhStoreShell[.]dll associated with COM hijacking.
Link(s):
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509
The vulnerability, CVE-2026-21509 (CVSS 7.8), involves an over-reliance on untrusted inputs that allows attackers to bypass Object Linking and Embedding (OLE) mitigations. In recent campaigns identified by CERT-UA, Fancy Bear distributed malicious Word documents (such as Consultation_Topics_Ukraine(Final)[.]doc) via phishing emails. These files trigger a network connection via the WebDAV protocol to download an LNK file, which then uses COM hijacking (specifically targeting EhStoreShell[.]dll) to execute shellcode. The final payload is the Covenant framework, a .NET-based command-and-control (C2) tool used for persistence and further exploitation.
Security Officer Comments:
This activity represents a significant threat to global organizations because it demonstrates a rapid "disclosure-to-weaponization" cycle; Fancy Bear deployed the exploit just one day after Microsoft’s disclosure.
While the current focus is on Ukrainian executive authorities and EU diplomatic entities (COREPER), the vulnerability affects standard versions of Microsoft Office 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps.
Because the exploit chain utilizes legitimate cloud storage services like Filen for its C2 infrastructure, it can easily bypass traditional network security filters that don't inspect traffic to reputable cloud providers. Any organization globally that lags in its monthly patching cycle or relies on default OLE/COM configurations is at risk of being targeted by similar state-sponsored "living-off-the-cloud" techniques.
Suggested Corrections:
The primary defense against this threat is the immediate application of Microsoft’s security updates released in late January 2026.
For organizations running Office 2016 and 2019, manual installation is required, whereas Office 2021 and later receive service-side updates that necessitate an application restart to take effect.
Beyond patching, administrators should implement the Windows registry configurations recommended in Microsoft’s advisory to reinforce OLE mitigations and consider blocking or strictly monitoring network traffic to the Filen cloud storage service if there is no legitimate business need for it.
Additionally, organizations should employ endpoint detection and response (EDR) tools to monitor for suspicious process behavior, such as the unexpected restart of explorer[.]exe or the unauthorized loading of EhStoreShell[.]dll associated with COM hijacking.
Link(s):
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509