The.hta file enables the attacker to gain full code-execution on the victim's machine - bypassing any memory-based mitigation developed by Microsoft.
The exploit also downloads and displays a fake Word document to the user to hide a user prompt generated by the OLE2link object, FireEye said. He said the Microsoft patch should automatically update tomorrow on computers running Windows versions 7, 8 and 10.
McAfee said it identified the attacks on Thursday and made a decision to release its advisory immediately, which appeared late on Friday. While Microsoft works on a patch, McAfee recommends not opening any Office files obtained from untrusted sources, and also enabling Office Protected View. Microsoft is reportedly working on a fix that should be available on Tuesday.
To mitigate the security flaw, users should download the most recent patch from Microsoft.
'F-ing Horrifying': Sessions Outlines Immigration Crackdown in 'Trump Era'
On Tuesday, Sessions also announced they are hiring more immigration judges to help reduce the backlogs in immigration courts. Since he was confirmed, Sessions has widened the Justice Department's role in immigration prosecutions.
The exploit connects to a remote server (controlled by the attacker), downloads a file that contains HTML application content, and executes it as an.hta file, according to a blog post by McAfee.
According to the researchers, a victim opening a suspicious Word file - embedded with an OLE2link object - in an email would trigger winword.exe to initiate an HTTP request to the attacker's remote server.
Allen acknowledged that "it would take a skilled research team" to recreate the OLE vulnerability, but added, "We know there are threat actors out there who have that facility".
Business users regularly trade Office files via email, a fact that cyber-attackers rely on for their spam and phishing campaigns. On Tuesday, Microsoft would be scheduling its monthly security updates but the vulnerability of this patch would be included or not is still not known. He suggested that users enable Office Protected View.
But FireEye believes these attacks only began after the McAfee blog post and likely reverse engineered the vulnerability from the blog post.
Users of Microsoft Office are being warned of a new zero-day security flaw that has been exploited since at least January. Also, the attack can not bypass the Protected View in Word, so McAfee suggested enabling this view mode when opening documents just to be sure.