Fancy Bear Exploits Microsoft Office Flaw in Ukraine, EU Cyber-Attacks
Fancy Bear Exploits Microsoft Office Flaw in Ukraine, EU Cyber-Attacks
https://www.infosecurity-magazine.com/news/fancy-bear-exploits-office-flaw/
Publish Date: 2026-02-02 07:45:00
Source Domain: www.infosecurity-magazine.com
Russian-linked hacking group Fancy Bear (APT28) has reportedly exploited a recently disclosed vulnerability in Microsoft Office to conduct cyber-attacks against Ukrainian and EU organizations.
The warning was published on February 2 by the Computer Emergency Response Team of Ukraine (CERT-UA), the country’s national cyber threat intelligence unit.
CVE-2026-21509 Exploited Before Disclosure
Specifically, CERT-UA reported the finding of a Word DOC file named ‘Consultation_Topics_Ukraine(Final).doc’ on January 29. The file contained an exploit for CVE-2026-21509, a high-severity vulnerability (with a CVSS 3.1 score of 7.8) affecting several versions of Microsoft Office 2016, 2019, LTSC 2021, LTSC 2024 and Microsoft 365 Apps for Enterprise.
Disclosed by Microsoft on January 26, the flaw is an over-reliance on untrusted inputs in a security decision in Microsoft Office.
When exploited, it can enable an attacker to bypass object linking and embedding (OLE) mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable component object model (COM) and OLE controls.
Microsoft confirmed in its security advisory that it had detected evidence of exploitation in the wild. The tech firm urged customers running Microsoft Office 2016 and 2019 to ensure the update is installed to be protected.
Customers running Office 2021 and later will be automatically protected via a service-side change but will be required to restart their Office applications for this to take effect.
“Given the likely delay (or inability) of users to update Microsoft Office or apply recommended security measures, the number of cyber-attacks exploiting this vulnerability is expected to increase,” the CERT-UA report noted.
Fancy Bear’s CVE-2026-21509 Exploit Chain
The .doc file identified by CERT-UA was related to consultations of the Committee of Permanent Representatives (COREPER) of the EU regarding the situation in Ukraine.
Metadata indicated that the file was…
