CVE: N/A (Microsoft disclosure pending) | Vendor: Microsoft | Product: Microsoft 365 Apps (formerly Office 365)

What Is the Vulnerability

Microsoft has disclosed a critical remote code execution vulnerability affecting the Microsoft 365 Apps ecosystem, exploitable through a specially crafted malicious Excel file. This follows the classic and persistent Office exploitation vector: a user opens a malicious document, and attacker-controlled code executes with the privileges of the logged-in user. The vulnerability resides in how Excel handles certain file structures, allowing an attacker to embed malicious payloads that bypass the standard security mitigations when the document is opened.

The attack chain is straightforward and low-complexity. An attacker delivers a weaponized Excel file via email or cloud sharing, and successful exploitation requires only that the victim open the file. No macros need to be enabled, and the attack works even in the default Protected View under certain circumstances, making this significantly more dangerous than traditional macro-based Office attacks.

Versions Affected

• Microsoft 365 Apps for Enterprise (Current Channel: all builds prior to the June 2026 security update)
• Microsoft 365 Apps for Business (Monthly Enterprise Channel affected in some configurations)
• Excel for Microsoft 365 on Windows (primary attack surface; macOS exploitation not confirmed)
• Legacy Office 2021 LTSC and Office 2019 editions are not affected

Exploited?

Yes. Microsoft has confirmed that this vulnerability is being actively exploited in the wild. The attacks observed are targeted — aimed at specific organizations rather than a broad spray-and-pray campaign — and have been attributed to a financially motivated threat actor with ties to ransomware affiliate groups. Initial access is gained via the Excel RCE, followed by the deployment of post-exploitation tooling including Cobalt Strike beacons and credential dumping utilities. Incident response teams have observed lateral movement within as little as 90 minutes of the initial document being opened.

Fix

Microsoft has released security updates addressing this vulnerability as part of the June 2026 Patch Tuesday cycle. All Microsoft 365 Apps users should apply the update immediately. The patch corrects how Excel validates and processes file structures before rendering content, effectively neutralizing the exploitation primitive.

For organizations that cannot patch immediately, the following mitigation applies with immediate effect:

• Enable the Attack Surface Reduction (ASR) rule “Block all Office applications from creating child processes” (rule ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A)
• Configure Protected View to open all files received from the internet and untrusted locations
• Do not rely on user awareness alone; technical controls are the real defense here

Recommendations

• Apply the June 2026 Microsoft security updates to all Microsoft 365 Apps installations on an emergency patch cadence
• Audit ASR rule deployment across all endpoints and ensure block mode is active
• Review email gateway rules to quarantine or flag XLSX files from external senders
• Implement detection signatures for Office-spawned child processes in the SOC
• Consider application allowlisting for Office binary directories

References

• Microsoft Security Response Center — June 2026 Security Updates
• CybersecurityNews — Initial report on active exploitation
• US CISA Known Exploited Vulnerabilities Catalog (expected listing)

Part of the Vulnerability Intelligence series. See the June 30, 2026 VIR.