Email attachments remain one of the most trusted entry points into enterprise environments. Despite years of awareness training and secure email gateways, attackers continue to rely on documents because they blend seamlessly into everyday workflows.
New reporting from The Hacker News details how APT28, a Russia-linked threat actor, is actively exploiting a newly disclosed Microsoft Office vulnerability to gain initial access into targeted environments. The campaign highlights how modern adversaries increasingly abuse trusted applications and normal user behavior rather than relying on easily detectable malware techniques.
Rather than breaking security controls outright, the attack succeeds by operating entirely within expected enterprise workflows.
According to the report, APT28 is leveraging a Microsoft Office zero-day vulnerability delivered through specially crafted Office and RTF documents. These files are distributed via phishing emails designed to appear contextually relevant to the victim, often localized and tailored to increase credibility.
Once opened, the document exploits the vulnerability to trigger unauthorized code execution without requiring macros or obvious user prompts. This allows attackers to deploy lightweight loaders that establish command-and-control access while minimizing detectable artifacts on the system.
Because the execution path originates from a trusted application like Microsoft Office, many traditional defenses fail to raise immediate alerts.
What makes this technique particularly effective is that, from the operating system’s perspective, nothing unusual appears to occur.
From a security telemetry standpoint, the activity looks legitimate:
There are no brute-force attempts, no obvious malware downloads, and no exploit kits scanning the environment. As a result, signature-based tools and perimeter controls often miss the intrusion entirely.
Once access is established, attackers shift to persistence and intelligence collection, using the compromised system as a staging point for further activity. Because the initial exploit does not immediately disrupt system operations, dwell time can extend significantly before detection.
In environments where endpoint, identity, and network telemetry are monitored in isolation, these weak signals rarely connect into a coherent attack story.
This campaign reflects a broader evolution in attacker strategy. Vulnerabilities are no longer exploited for loud, immediate impact. Instead, they are used as quiet enablers that allow attackers to blend into normal operational patterns.
In this case, the vulnerability is simply the entry point. The real advantage comes from abusing trusted processes, legitimate network paths, and valid user contexts after access is achieved.
This creates a critical blind spot for organizations that focus detection efforts on known malware indicators or standalone exploit alerts rather than post-exploitation behavior.
Seceon approaches document-based and zero-day attacks differently by treating execution behavior as the primary signal, not file reputation or exploit signatures.
Seceon’s unified aiSIEM and aiXDR platform continuously correlates:
Instead of analyzing each signal independently, Seceon connects them into a single attack narrative, allowing SOC teams to see when a seemingly benign document opens and transitions into suspicious system behavior.
In addition, Seceon’s aiBAS360 helps proactively validate exposure to this type of attack by simulating document-based exploit chains and post-exploitation behaviors. This allows security teams to continuously test whether Microsoft Office exploitation, payload execution, and outbound C2 activity would be detected and blocked – before attackers attempt it in the real world.
This enables:
In attacks like this, where the exploit itself may be unknown or unpublished, behavioral context combined with continuous breach validation becomes the most reliable defense layer.
APT28’s use of a Microsoft Office vulnerability reinforces a familiar but often underestimated reality: the most effective attacks rarely look malicious at first glance.
When trusted documents become delivery mechanisms and legitimate applications become execution vehicles, prevention alone is not enough. The ability to continuously analyze behavior across users, endpoints, and networks determines whether these intrusions are detected early or allowed to operate silently.
In today’s threat landscape, the real challenge is no longer blocking every exploit. It is recognizing when normal activity starts behaving like an attack.
