Security researchers are warning users to be very careful with opening Microsoft Office files.
Because of an unpatched Internet Explorer bug users are vulnerable to malware attacks even if Internet Explorer is not their preferred browser. This means that an attacker can create an office file that, when opened, will automatically load and install malware from the page accessed in Internet Explorer. Some protection is available if the Protected View mode in IE is on, but it won’t help in every case.
What is even more concerning is the fact that this is a Zero Day attack meaning that attackers are already exploiting this vulnerability even before Microsoft has issued a patch.
Researchers from cybersecurity service Expmon said they have successfully tested an attack on Windows 10 machines that were running Office 2019 and Office 365. They also said that the nature of this exploit confirms it will always work.
Until Microsoft releases the patch for this exploit and to mitigate the issue, Microsoft suggests disabling the ActiveX feature in Internet Explorer.