Russian hackers are targeting a new Office 365 zero-day, so patch now or face attack

1. Pro
2. Security

Russian hackers are targeting a new Office 365 zero-day, so patch now or face attack News By Sead Fadilpašić published 3 February 2026

Ukraine's defenders have spotted a new hacking attack

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Et bilde av et tastatur der Enter-knappen har påmalt et russisk flagg, med en liten gullbjørn stående på tasten. (Image credit: Shutterstock / Aleksandra Gigowska)

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Threads
• Email

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Tech Radar Get the TechRadar Newsletter

Sign up for breaking news, reviews, opinion, top tech deals, and more.

Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

You are now subscribed

Your newsletter sign-up was successful

An account already exists for this email address, please log in. Subscribe to our newsletter

• Russian APT28 (Fancy Bear) exploited CVE-2026-21509 in Microsoft Office days after patch release
• Malicious DOC files sent to Ukrainian government agencies via themed phishing lures
• CISA added the flaw to its KEV catalog, urging immediate patching

Russian hackers have attacked Ukrainian government agencies using a high-severity Microsoft Office vulnerability mere days after a patch was released.

On January 26, 2026, Microsoft pushed an emergency fix to address CVE-2026-21509, a reliance on untrusted inputs in a security decision vulnerability, that allows unauthorized attackers to bypass Microsoft Office security features locally. The bug was given a severity score of 7.6/10 (high), and was said to have already been abused in the wild as a zero-day.

Just three days later, Ukraine’s Computer Emergency Response Team (CERT-UA) said it saw cybercriminals mailing dozens of government-related addresses malicious DOC files that were exploiting the flaw. Some were themed around the EU COREPER consultations, while others spoofed the country’s Hydrometeorological Center.

You may like

• Worrying Microsoft Office security flaw patched - update now or risk hackers accessing your files
• Microsoft quietly patches LNK vulnerability that's been weaponized for years
• Windows Server flaw targeted by hackers to spread malware - here's what we know

How to defend against APT28

CERT says that the attack is the work of APT28, a Russian state-sponsored threat actor also known as Fancy Bear, or Sofacy. The group is linked with the country’s General Staff Main Intelligence Directorate (GRU).

The researchers based their findings on the analysis of the malware loader used in these attacks. Apparently, it is the same one that was used in a June 2025 attack, in which Signal chats were used to deliver BeardShell and SlimAgent malware to Ukrainian government employees. This attack was confirmed to have been conducted by APT28.

To defend against the attacks, CERT-UA advised government entities (and everyone else, basically) to apply the latest patches and update their Microsoft Office 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps. Office 2021 users were also reminded to restart their applications after updating, to make sure the patches are applied.

The US Cybersecurity and Infrastructure Security Agency (CISA) already added CVE-2026-21509 to its catalog of known exploited vulnerabilities (KEV).

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

Those that cannot install the patches should make changes in Windows Registry, as mitigation. Microsoft has provided a step-by-step guide which can be found on this link.

Via BleepingComputer

The best antivirus for all budgetsOur top picks, based on real-world testing and comparisons

➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS Microsoft Office Sead FadilpašićSocial Links Navigation

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

View More

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more Worrying Microsoft Office security flaw patched - update now or risk hackers accessing your files    Microsoft quietly patches LNK vulnerability that's been weaponized for years    Windows Server flaw targeted by hackers to spread malware - here's what we know    Still using WinRAR? You should probably look out for these potentially dangerous security flaws    Microsoft issues patches for 56 security flaws - all 'important' severity or above    This SmarterMail vulnerability allows Remote Code Execution - here's what we know    Latest in Security Dangerous new malware targets macOS devices via OpenVSX extensions - here's how to stay safe    Malwarebytes and ChatGPT team up to check all of those suspicious texts, emails, and URLs with one simple phrase    Panera Bread data breach much more serious than we thought - over 5 million customers were hit, new reports claim    Notepad++ hit by suspected Chinese state-sponsored hackers - here's what we know so far    Canada Computers & Electronics reveals data breach - customer data exposed, here's what we know    MongoDB instances are being hit in data extortion attacks, so make sure you're protected    Latest in News Where hi-fi, art and chemistry collide, you get Molecular Audio    I didn't even know Netflix was on the PS3, but it won't matter soon — the streaming app will leave the console after 16 years next month    Independent auditors confirm NordVPN never stores your data – for the 6th time    Sea of Remnants has 400+ named NPCs in its open world, each 'with their own individual story arcs' that can be altered by your actions    Windows 11's February update is imminent — here are the top 4 features    SpaceX and xAI merger starts a new AI space race, but big questions remain    LATEST ARTICLES

1. 1ExpressVPN slashes prices for Valentine’s Day – here’s how to save up to 81%
2. 2How to keep your Minecraft server safe and secure
3. 3Microsoft is killing off some popular standalone OneDrive and SharePoint plans because they aren't profitable enough
4. 4Our chances of seeing a new Nvidia-powered handheld PC with RTX 5070-level power are improving – but I'd expect the price to be a dealbreaker
5. 5These speakers are what you’d find in the center of an art, molecular science and hi-fi Venn diagram and I want them