The Polish army warns against Microsoft Office. It’s that bad

This is a security vulnerability in Microsoft Office, number CVE-2026-21509, which was announced by Microsoft on January 26 this year. The problem is that, according to DKWOC’s findings, it was used to carry out cyber attacks the very next day.

It is worth noting that everything here points to the activities of hostile intelligence, and not classic cybercriminals. Well, specific state institutions fall victim to attacks. Aggressors also emphasize the quality, not quantity, of attacks. Stolen e-mail addresses from various state institutions were used to conduct them, and their content did not differ in quality from official communication. As we can read in the announcement on the website of the Polish Army:

Despite the wide scope of the campaign, the adversary’s actions were targeted, as evidenced by the precise targeting of institutions and specific people in their structures. Particularly noteworthy is the fact that in order to increase the credibility of phishing messages, hijacked e-mail accounts of state institutions from Central and Eastern European countries were used, (…)
The content of the message was consistent with the business profile of both the sender and the recipient. Taking into account the above facts, it should be assessed that the campaign was implemented in a way that minimized the risk of recipients detecting symptoms of a phishing attack.

It is worth adding here that a similar warning was also published by the Ministry of Digitization. As you can read on his website:

A few days after the disclosure of a new vulnerability in Microsoft Office, its active use in a targeted phishing campaign was reported. The attack was aimed at, among others, in public institutions in Central and Eastern Europe, and opening the infected document resulted in the launch of malware.

To put it simply, the CVE-2026-21509 vulnerability allows a malicious document to bypass Office security and automatically launch a mechanism that downloads malware from the Internet that provided remote access to the infected computer. Thus, all you need to do is open the infected document.

Of course, along with the vulnerability announcement, Microsoft also released a security patch. The problem is that it was activated automatically on the service side only for Microsoft Office 2021 and newer. Users of 2016 and 2019 versions must manually install the security update. And that’s why they turned out to be such a susceptible target.

As the Polish Army argues, the installation of security is necessary. It is also worth remembering that although this attack was specifically aimed at state institutions, cybercriminals can also use this vulnerability. Therefore, private users should also update their office suite.