Security Intelligence
Loading table of contents...
At a glance: A security feature bypass vulnerability affecting Microsoft Office and Microsoft 365 is being actively exploited in the wild. Tracked as CVE-2026-21509, the flaw allows attackers to bypass Object Linking and Embedding (OLE) protections, enabling malicious code execution when a user opens a crafted Office document.
Threat summary
Microsoft issued an out-of-band patch on January 26 to address a security feature bypass vulnerability affecting Microsoft 365 and Microsoft Office. The company confirmed the flaw is being actively exploited in the wild, as identified by its internal threat intelligence teams.
Tracked as CVE-2026-21509, the flaw stems from Microsoft Office’s reliance on untrusted inputs during security decisions. This enables threat actors to bypass Object Linking and Embedding (OLE) mitigations, allowing for malicious code execution when a user opens a crafted Office document.
Threat actors rely on user interaction, typically through phishing or social engineering, to exploit the flaw. The vulnerability carries a Common Vulnerability Scoring System (CVSS) v3.1 score of 7.8 and is rated Important.
The affected technology includes:
-
Microsoft Office 2016 and 2019
-
Microsoft Office Long-Term Servicing Channel (LTSC) 2021 and 2024
-
Microsoft 365 Apps for Enterprise
Analysis
CVE-2026-21509 results from Microsoft Office's reliance on untrusted inputs in a security decision, allowing attackers to circumvent OLE restrictions that normally block unsafe Component Object Model (COM) and OLE controls.
OLE is a longstanding Microsoft technology that enables documents to embed or link to external objects such as spreadsheets, images, or dynamic content. Because OLE can load external objects and invoke helper applications, it has been a recurring target in phishing-driven malware campaigns.
OLE mitigations restrict how Office handles embedded or linked objects from untrusted sources by blocking automatic activation, enforcing trust decisions, and limiting scriptable interactions. These controls reduce the risk of malicious code execution when a document is opened.
However, CVE-2026-21509 can bypass these protections, reopening a pathway to deliver malicious payloads through standard Office files.
The Preview Pane is not an attack vector for this flaw. This keeps the vulnerability dependent on a user actively opening the malicious document, reducing the likelihood of silent, automatic exploitation.
Mitigation
Field Effect MDR protects organizations by detecting malicious document behavior, blocking payload execution, monitoring phishing-driven delivery, and responding rapidly to any signs of compromise. Even if the exploit bypasses Microsoft’s OLE mitigations, the downstream attacker behaviors are visible and actionable within the MDR platform.
The released emergency security updates apply differently depending on your version of Office:
- Microsoft 365 Apps receive protection through a service-side mitigation that activates after restarting Office
- Perpetual versions of Office 2016, 2019, and 2021 require installing the traditional security update to be fully protected
For detailed instructions and the latest guidance, please refer to Microsoft’s official security advisory.
Additional recommendations include reinforcing phishing-resistant authentication, increasing scrutiny of inbound Office documents, and monitoring for suspicious document execution activity. Restricting OLE usage where operationally feasible reduces exposure. Continuous endpoint monitoring and rapid containment workflows provide additional resilience while patching completes.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
.jpg)