Microsoft patches Windows OLE Vulnerability (CVE-2025-21298) and Sophos Highlights Office 365 Threats

n the last Patch Tuesday, Microsoft addressed a high-vulnerability flaw in Microsoft Outlook that could allow attackers to execute remote code via maliciously crafted emails. Similarly, Sophos has observed threat actors leveraging the Office365 suite in attacks such as email bombing, IT impersonation on Teams, and remote control via Quick Assist.

Threat alert
January 22, 2025

In the last Patch Tuesday, Microsoft addressed a high-vulnerability flaw in Microsoft Outlook that could allow attackers to execute remote code via maliciously crafted emails. Similarly, Sophos has observed threat actors leveraging the Office365 suite in attacks such as email bombing, IT impersonation on Teams, and remote control via Quick Assist.

Windows Object Linking and Embedding (OLE) is used to embed and link documents and objects. This low-level sophistication attack poses a risk to organisations as unaware victims could be compromised only by previewing the email in Outlook, without interaction. Exploitation is possible due to the “Use After Free” condition in the OLE component that enables the execution of arbitrary code on the system.  

Sophos tracked and identified two threat actors STAC5143 and STAC5777 that exploit vulnerabilities in Microsoft Office 365 configurations to gain unauthorized access, steal data, and deploy ransomware. Both groups are exploiting the default settings in Teams which allow external communication.  

STAC5143’s technique is to email bomb the user and follow with a Teams call posing as Help Desk. Once contact is established, the attackers use remote control via Teams to install Java-based malware that further downloads payloads and credential theft tools.  

Similarly, STAC5777 is spamming users with Teams calls and tricking them into using Quick Assist which is used further to deploy malicious payload. The malware (winhttp.dll ) which is side-loaded into a legitimate ‘OneDriveStandaloneUpdater.exe’ binary is further used to run a PowerShell command to create a .lnk file to maintain persistence.  

Recommendations:

  • Users should be cautious when dealing with emails from outside the company, especially the ones that contain attachments and links.
  • Businesses should review and assess the need for remote access tools like Quick Assist and take the appropriate actions.
  • Restrict Teams communication to trusted domains and vendors.
  • Detection rules are recommended for monitoring QuickAssist activity and Teams messages from untrusted external entities that contain links.

Here at Socura we are focusing on proactive threat hunts and creating rules to detect such malicious activities.