CVE-2023-36884: Windows Search RCE Used in NATO Summit Attacks
How Storm-0978 (RomCom) weaponized a zero-day Windows and Office vulnerability to target NATO summit attendees and Ukrainian government entities — disclosed without a patch
CVE-2023-36884 is a remote code execution vulnerability affecting Windows Search and Microsoft Office, exploited as a zero-day by Storm-0978 — a Russian threat actor also known as RomCom, UNDERGROUND, and Tropical Scorpius — during the NATO Vilnius summit in July 2023. The group sent spear-phishing emails with Office documents that exploited the flaw to deliver RomCom RAT to government officials and defense contractors across NATO member states. Unusually, Microsoft disclosed the vulnerability and attributed the attacker in the same advisory but released no patch until August 2023.
Storm-0978: Dual Financial and Espionage Motives
Storm-0978 is a Russia-based threat group with a dual mission: ransomware and extortion operations (operating the UNDERGROUND ransomware) and targeted espionage against entities aligned with Ukraine's support network. The group previously attacked Ukrainian and European government targets with RomCom RAT and has demonstrated consistent interest in NATO operations, Ukrainian government communications, and defense contractor networks.
The July 2023 campaign used NATO summit-themed lure documents impersonating the Ukrainian World Congress — a tactically timed operation designed to reach officials and staff processing summit-related correspondence. This targeting precision, combined with zero-day capability, indicates a well-resourced actor with significant intelligence preparation.
Technical Mechanism: search-ms URI Handler Abuse
CVE-2023-36884 exploits the Windows search-ms: URI protocol handler — the same underlying primitive class used in Follina (CVE-2022-30190). The attack flow:
1. A malicious Office document contains an embedded OLE object referencing a remote search-ms: URI pointing to attacker infrastructure. 2. When the document is opened, Office processes the OLE reference and triggers the search-ms: URI handler. 3. Windows Search initiates a query against the attacker-controlled remote server (WebDAV or SMB). 4. The Windows Search results window renders attacker-controlled content — including malicious shortcuts (.lnk) or executables — in a trusted context. 5. Minimal additional user interaction leads to payload execution.
Critically, this bypass worked even in configurations where Office documents from the internet are normally processed in Protected View. Documents extracted from ZIP attachments in some configurations did not receive Mark-of-the-Web (MOTW) tagging, allowing the attack to bypass the Protected View sandbox entirely.
Attack Chain
The Storm-0978 campaign delivery and exploitation sequence:
Spear-Phishing Email Delivery
Targeted email sent to government, military, and defense contractor recipients with NATO summit-themed lure; ZIP attachment contains malicious Word document impersonating Ukrainian World Congress.
Document Opened — Protected View Bypassed
Victim opens .docx file; ZIP extraction may strip MOTW, allowing document to open outside Protected View sandbox in certain configurations.
OLE Object Triggers search-ms URI
Embedded OLE object causes Office to invoke the Windows search-ms: protocol handler pointing to attacker-controlled WebDAV/SMB infrastructure.
Remote Content Retrieved and Rendered
Windows Search queries attacker's server and renders results containing malicious .lnk shortcuts in the Windows Search UI, positioned to appear as legitimate documents.
RomCom RAT Deployed
User interaction with the search result (or in some variants, automatic execution) delivers RomCom RAT, establishing encrypted C2 access for persistent espionage operations.
Microsoft's Unusual Response: Disclosure Without Patch
The July 2023 Patch Tuesday advisory disclosed CVE-2023-36884, attributed exploitation to Storm-0978, and provided a registry-based workaround — but no patch. This left a month-long window where defenders knew the vulnerability existed, knew the attacker, knew the workaround, but had no complete fix.
Microsoft's workaround required adding Office applications (Word, Excel, PowerPoint, OneNote, Outlook) to the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key — blocking those applications from following cross-protocol file navigation requests including search-ms: URIs. This was effective but required manual or GPO-based deployment across all endpoints.
The August 2023 Patch Tuesday delivered the complete patch. CISA issued Advisory AA23-187A urging immediate workaround deployment for federal agencies.
Indicators of Compromise
Known indicators from the Storm-0978 / CVE-2023-36884 campaign:
| Artifact | Type | SHA-256 (Truncated) |
|---|---|---|
| ukrainianworldcongress[.]info, natosummit2023[.]info | Domain — attacker-registered lure infrastructure | Domains registered to impersonate legitimate Ukrainian World Congress; used in spear-phishing and as search-ms: redirect targets |
| search-ms: URI queries from Office processes to non-corporate WebDAV/SMB endpoints | Network — protocol handler invocation | Office applications invoking search-ms: against external IPs is anomalous; capture in DNS and proxy logs |
| Office processes (winword.exe, etc.) spawning SearchApp.exe or SearchUI.exe with remote UNC paths | Process telemetry | Parent-child chain of Office → SearchApp with external UNC arguments indicates active exploitation |
| RomCom RAT — DLL loaded via sideloading against legitimate signed Microsoft binaries | Filesystem / memory artifact | Unsigned DLL in same directory as legitimate signed binary; exports matching RomCom RAT configuration loader |
Any instance of msimg32.dll found outside C:\Windows\System32 is an active IOC. Isolate the host immediately. Full hashes and IOC lists are available via the Cisco Talos GitHub repository.
Remediation
Steps in order of priority:
Apply August 2023 Patch Tuesday cumulative updates
The complete CVE-2023-36884 fix is included in the August 2023 cumulative updates for all supported Windows versions. All organizations should verify these updates are applied — running Windows Update and checking for KB articles specific to August 2023 CUs.
Apply the registry workaround if patching is delayed
Add winword.exe, excel.exe, powerpnt.exe, mspub.exe, onenote.exe, and outlook.exe to HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION with DWORD value 1. This blocks cross-protocol navigation including search-ms: from those applications.
Enable Attack Surface Reduction rule for Office child processes
ASR rule GUID d4f940ab-401b-4efc-aadc-ad5f3c50688a ('Block all Office applications from creating child processes') prevents Office from spawning processes that the search-ms: exploitation chain requires. Enable in audit mode first to verify no business impact.
Configure Group Policy to block external URI handler invocations from Office
Group Policy settings under Computer Configuration → Administrative Templates → Microsoft Office can restrict Office's ability to open external protocol handlers. Consult the Microsoft 365 Group Policy Administrative Templates for the relevant policy.
Monitor EDR for search-ms invocations from Office processes
Add detection logic for Office applications spawning SearchApp.exe or SearchUI.exe with external network paths as arguments. This is abnormal behavior that should alert immediately.
The bottom line
CVE-2023-36884 illustrates the continuing abuse of Windows URI protocol handlers as an Office document exploitation primitive — a pattern that produced Follina in 2022, and this in 2023. The month between disclosure and patch was an extraordinarily dangerous window for government and defense targets who were actively hunted during a geopolitically significant event. ASR rules and the registry workaround are essential controls that should be deployed regardless of patch status, as they reduce the attack surface for this entire class of vulnerability.
Frequently asked questions
Is CVE-2023-36884 the same as Follina (CVE-2022-30190)?
They share the same class of attack — abusing Windows URI protocol handlers triggered from Office documents — but are distinct vulnerabilities. Follina used the ms-msdt: handler targeting the Microsoft Support Diagnostic Tool. CVE-2023-36884 uses the search-ms: handler targeting Windows Search. Different handler, different code path, different patch.
Why did Microsoft disclose CVE-2023-36884 without a patch?
Microsoft judged that public attribution of active Storm-0978 zero-day exploitation served the defender community even before a complete fix was ready, and provided a registry-based workaround to reduce risk in the interim. This approach is controversial but follows precedent when nation-state actors are actively exploiting a vulnerability at significant scale.
Does the CVE-2023-36884 fix require a separate update beyond Patch Tuesday?
No. The August 2023 Patch Tuesday cumulative updates for Windows include the CVE-2023-36884 fix. Organizations that apply monthly cumulative updates are protected. The July 2023 Patch Tuesday did not include the patch — only the advisory and workaround.
Sources & references
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.