CVE-2023-36884

What is the Windows Mark of the Web?

The Mark of the Web (MOTW) is a Windows security mechanism that tags files downloaded from the internet with a Zone Identifier, causing Windows to treat them as potentially unsafe. When a user opens an Office document bearing the internet zone MOTW, Office's Protected View activates — displaying the document in a read-only sandbox that prevents macros and active content from executing without user confirmation. Bypassing MOTW causes Office to open documents as if they came from a trusted local source, enabling malicious content (macros, OLE objects, embedded scripts) to execute immediately without Protected View. MOTW bypasses are therefore a critical capability for phishing-based malware delivery.

Overview

CVE-2023-36884 is a remote code execution vulnerability in Microsoft Office and Windows HTML processing that allows an attacker to bypass Mark of the Web protections and execute code when a user opens a malicious Office document delivered via phishing. Microsoft disclosed it on July 11, 2023, without an immediate patch — providing only interim mitigations — while attributing active exploitation to Storm-0978 (RomCom), a threat actor with both espionage and ransomware operations. The full patch was not released until the August 2023 Patch Tuesday. CISA added it to KEV on July 17, 2023.

Affected Versions

Technical Details

CVE-2023-36884 (CWE-362 — race condition) involves a race condition in how Windows processes specially crafted HTML content embedded in Office documents. The vulnerability enables bypassing of the Mark of the Web check: despite the document being tagged as internet-origin, Office's MOTW validation can be defeated through the race condition, causing Office to open the document in full-fidelity mode rather than Protected View.

With Protected View bypassed and the document executing in full-fidelity mode, maliciously embedded OLE objects, RTF structures, or remote template references can trigger execution of attacker-controlled code. The initial exploitation vector is a phishing email containing a malicious .docx or similar Office document attachment.

Microsoft's interim mitigation (published July 11 without a patch) involved adding Office applications to the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key, which blocks certain cross-protocol navigation sequences used in the exploit chain.

Discovery

Microsoft's Threat Intelligence team identified active exploitation by Storm-0978 targeting organizations related to the NATO Ukraine Defense Contact Group summit, timed to coincide with the actual summit in Vilnius, Lithuania in July 2023.

Exploitation Context

Storm-0978 (also called RomCom, DEV-0978, and UNC2596) is a threat actor with dual operations:

• Espionage: Targeting European government entities, military organizations, and entities involved in Ukraine support
• Financial crime: Operating Cuba ransomware and conducting financial theft

In July 2023, Storm-0978 used CVE-2023-36884 in spear-phishing campaigns targeting attendees and organizations connected to the NATO Summit — sending documents themed around NATO agenda items, Ukrainian support materials, and related topics. The goal was intelligence collection from European defense and government networks.

The ransomware flag (marked true) reflects Storm-0978's dual-use of the same infrastructure for both espionage and financially-motivated ransomware deployment.

Remediation

1. Apply the August 2023 cumulative Windows update and Office security update — the July 2023 disclosure had no patch; the August 2023 Patch Tuesday delivered the fix.
2. Apply the interim registry mitigation if still unpatched — add Word, Excel, PowerPoint, Outlook, and other Office applications to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION with a DWORD value of 1. See MSRC advisory for the exact registry configuration.
3. Enable Attack Surface Reduction (ASR) rules — specifically "Block all Office applications from creating child processes" and rules targeting Office macro execution.
4. Enable Protected View for internet-origin files and ensure it cannot be disabled by users in high-risk environments.
5. Deploy Microsoft Defender for Office 365 — ATP Safe Attachments detonates Office documents in a sandbox before delivery, detecting malicious content before users can open it.
6. Educate users about NATO/Ukraine-themed phishing — in geopolitical campaigns, lure documents are specifically designed to be plausible and interesting to the intended target population.