The 'Microsoft Office Russian Dolls' threat is a sophisticated attack technique discovered by a SANS ISC handler, involving a multi-layered malicious document structure reminiscent of Matryoshka dolls. The attack embeds an RTF document inside a standard OOXML Word document (.docx) using the 'altChunk' feature, which allows the RTF to be referenced and rendered as part of the Word document. This embedded RTF contains shellcode that exploits the CVE-2017-11882 vulnerability, a well-known memory corruption flaw in the Microsoft Equation Editor component, which allows arbitrary code execution. Upon successful exploitation, the shellcode drops a DLL payload named 'license.ini' into the user's temporary directory. This DLL is heavily obfuscated and is executed via the Windows rundll32 utility with unusual parameters, indicating attempts to evade detection and analysis. The malware family is uncertain but may be related to Formbook, a known info-stealing malware. The attack bypasses modern Microsoft Office protections that disable automatic VBA macro execution by leveraging legacy vulnerabilities and embedding techniques, thus representing a stealthy infection vector. The threat does not require user macro enabling but does rely on the victim opening the malicious document. No public exploits have been observed in the wild yet, but the technique's complexity and use of legacy vulnerabilities make it a medium-severity threat. The attack highlights the ongoing risk posed by legacy Office components and the need for layered defenses.

For European organizations, this threat poses a significant risk primarily to Windows endpoints running Microsoft Office, especially those that have not fully patched legacy vulnerabilities like CVE-2017-11882. Successful exploitation can lead to arbitrary code execution, enabling attackers to deploy malware such as info-stealers or remote access tools, potentially resulting in data exfiltration, credential theft, and lateral movement within networks. The stealthy embedding of RTF inside OOXML documents complicates detection by traditional antivirus and sandboxing solutions, increasing the likelihood of successful compromise. Sectors with high document exchange volumes, such as finance, legal, and government, may face elevated exposure. Additionally, organizations relying on legacy Office versions or with delayed patching cycles are more vulnerable. The use of obfuscated DLL payloads and command-line execution via rundll32 further complicates incident response and forensic analysis. Overall, the threat can degrade confidentiality and integrity of organizational data and disrupt operations if malware payloads include ransomware or destructive components.

1. Ensure all Microsoft Office installations are fully patched, including legacy components like the Equation Editor, to remediate CVE-2017-11882 and related vulnerabilities. 2. Deploy advanced endpoint detection and response (EDR) solutions capable of inspecting embedded document objects and detecting anomalous use of 'altChunk' and embedded RTF content. 3. Implement strict application whitelisting and monitor execution of rundll32.exe, especially with unusual or obfuscated command-line parameters. 4. Use network-level protections to block or flag suspicious document attachments, particularly those containing embedded RTF or unusual file structures. 5. Educate users on the risks of opening unsolicited or unexpected Office documents, even if they do not prompt for macros. 6. Employ sandboxing solutions that can fully unpack and analyze nested document formats to detect multi-layered payloads. 7. Regularly audit and restrict use of legacy Office features that can be abused, such as 'altChunk'. 8. Maintain robust incident response capabilities to quickly analyze and remediate infections involving obfuscated DLL payloads. 9. Consider disabling legacy components like Equation Editor if not required in the organizational environment. 10. Monitor threat intelligence feeds for updates on this technique and related malware families to adapt defenses accordingly.