Skip to Content

How can I secure Outlook against the Operation Neusploit exploit immediately?

By: Author Alex Lim

Posted on

Categories Cybersecurity

Home » Cybersecurity » How can I secure Outlook against the Operation Neusploit exploit immediately?

Is your organization vulnerable to the new APT28 Office zero-day attacks?

Security teams must address an active threat targeting Microsoft Office and Outlook. Russian threat group APT28 (Fancy Bear) is exploiting CVE-2026-21509. This zero-day vulnerability allows attackers to bypass security checks within Office applications. Both Microsoft and security firms like ZScaler and CERT-UA have confirmed active campaigns. Immediate mitigation is required to prevent data theft and system compromise.

The Vulnerability: CVE-2026-21509 Explained

Microsoft disclosed CVE-2026-21509 on January 26, 2026. The flaw exists in the validation of OLE (Object Linking and Embedding) calls. Specifically, Office fails to adequately screen untrusted input in these calls. This failure renders standard protections against vulnerable COM/OLE controls ineffective.

Affected Software:

  • Microsoft Office 2016 through 2024
  • Microsoft 365 Apps
  • Microsoft Outlook (via macro exploitation)

Current Patch Status

Microsoft released emergency server-side updates for Office 2021 and later versions immediately upon disclosure. Users running the MSI version of Office 2016 must download an out-of-band update from the Microsoft Update Catalog.

Active Exploitation: The Attack Chain

Attacks began rapidly after disclosure. Indicators suggest threat actors weaponized the flaw within 24 hours of the public announcement.

The CERT-UA Findings (General Office)

On January 29, 2026, the Computer Emergency Response Team of Ukraine (CERT-UA) detected malicious DOC files. These files masquerade as official documents regarding EU Coreper consultations in Ukraine.

  • Mechanism: The malicious file exploits CVE-2026-21509.
  • Execution: A scheduled task terminates and restarts explorer.exe.
  • Payload: The restart triggers COM hijacking to load a malicious DLL file (EhStoreShell.dll).
  • Result: The system executes shellcode that installs the COVENANT framework (a .NET command and control tool).

Operation Neusploit (Outlook Focus)

Security researchers at ZScaler identified a parallel campaign dubbed “Operation Neusploit.” This vector specifically targets Outlook users in Central and Eastern Europe.

  • Mechanism: Attackers send emails containing crafted RTF files.
  • Payload: The exploit deploys MiniDoor (an Outlook macro-based email stealer) or PixyNetLoader.
  • Infrastructure: The malware utilizes the cloud storage service Filen (filen.io) for command-and-control (C2) operations.

Strategic Mitigation Plan

Advisors recommend a multi-layered defense strategy to neutralize this threat.

  1. Prioritize Patching: Apply all available Microsoft Office updates immediately. Ensure server-side updates for Office 2021+ have propagated to all endpoints.
  2. Network Blocking: Configure firewalls and endpoint detection systems to block traffic to filen.io. This severs the C2 communication channel for the COVENANT framework.
  3. Registry Hardening: Verify that specific registry keys mentioned in Microsoft’s mitigation guidelines are active. If official patches are incompatible with legacy systems, consider third-party micropatches from providers like 0patch.
  4. User Awareness: Alert staff to treat unexpected documents—particularly those referencing Ukraine, EU consultations, or meteorological data—with extreme caution.