Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability

calendar Jan 12, 2026 · CVE-2021-40444  ·
Share on: linkedin copy

Attachment contains an external relationship that attempts to load a remote OLE object, consistent with use in CVE-2021-40444.

On September 7, 2021, Microsoft released details about a zero day RCE vulnerability in MSHTML that affects Microsoft Windows.

According to Microsoft: "we are aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents. An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine."

Sublime rule (View on GitHub)

 1name: "Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability"
 2description: |
 3  Attachment contains an external relationship that attempts to load a remote OLE object, consistent with use in CVE-2021-40444.
 4
 5  On September 7, 2021, Microsoft released details about a zero day RCE vulnerability in MSHTML that affects Microsoft Windows.
 6
 7  According to Microsoft: "we are aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents. An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine."  
 8references:
 9  - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444"
10  - "https://twitter.com/buffaloverflow/status/1436261107329642522"
11  - "https://twitter.com/jroosen/status/1435792491899494402"
12  - "https://twitter.com/decalage2/status/1436433067619622916"
13  - "https://www.reddit.com/r/crowdstrike/comments/pkb9wi/situational_awareness_cve202140444_mshtml_remote/"
14  - "https://twitter.com/aaaddress1/status/1436393045939814400"
15type: "rule"
16severity: "critical"
17source: |
18  type.inbound
19  and any(attachments,
20          (
21            (
22              .file_extension in~ $file_extensions_macros
23              or .file_extension =~ "rtf"
24              or (
25                .file_extension is null
26                and .file_type == "unknown"
27                and .content_type == "application/octet-stream"
28                and .size < 100000000
29              )
30            )
31            and any(file.oletools(.).relationships,
32                    regex.icontains(.target, ".*html:http.*")
33            )
34          )
35          or (
36            .file_extension in~ $file_extensions_common_archives
37            and any(file.explode(.),
38                    .flavors.mime == "text/xml"
39                    and any(.scan.strings.strings,
40                            regex.icontains(., ".*oleObject.*mhtml.*http.*")
41                    )
42            )
43          )
44  )  
45tags:
46  - "CVE-2021-40444"
47attack_types:
48  - "Malware/Ransomware"
49tactics_and_techniques:
50  - "Exploit"
51  - "Macros"
52  - "Scripting"
53detection_methods:
54  - "Archive analysis"
55  - "Content analysis"
56  - "File analysis"
57  - "Macro analysis"
58  - "OLE analysis"
59id: "8cefcf7f-2a48-5102-9b09-8db995759223"
to-top