A zero day vulnerability in Microsoft Word is being exploited to install malware on Windows machines.

According to FireEye, “The attack involves a threat actor emailing a Microsoft Word document to a targeted user with an embedded OLE2link object. When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious .hta file, which appears as a fake RTF file. The Microsoft HTA application loads and executes the malicious script. In both observed documents the malicious script terminated the winword.exe process, downloaded additional payload(s), and loaded a decoy document for the user to see. The original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link.”

Microsoft reportedly knew about the vulnerability since January but has not issued a security advisory or patch for it. According to McAfee, “The exploit works on all Microsoft Office versions, including the latest Office 2016 running on Windows 10. The earliest attack we have seen dates to late January.”

Another security firm, Proofpoint, has observed “the document exploit being used in a large email campaign distributing the Dridex banking Trojan. This campaign was sent to millions of recipients across numerous organizations primarily in Australia.”

If you are a Microsoft Word user, please pay heed to McAfee’s advice: Do not open any Office files obtained from untrusted locations, and because this active attack cannot bypass the Office Protected View, ensure that the Office Protected View is enabled. Update your machine as soon as Microsoft releases updates.