CVE-2023-36884: Windows Search RCE Used in NATO Summit Attacks
How Storm-0978 (RomCom) weaponized a zero-day Windows and Office vulnerability to target NATO summit attendees and Ukrainian government entities, disclosed without a patch

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
CVE-2023-36884 is a remote code execution vulnerability affecting Windows Search and Microsoft Office, exploited as a zero-day by Storm-0978, a Russian threat actor also known as RomCom, UNDERGROUND, and Tropical Scorpius, during the NATO Vilnius summit in July 2023. The group sent spear-phishing emails with Office documents that exploited the flaw to deliver RomCom RAT to government officials and defense contractors across NATO member states. Unusually, Microsoft disclosed the vulnerability and attributed the attacker in the same advisory but released no patch until August 2023.
Storm-0978: Dual Financial and Espionage Motives
Storm-0978 is a Russia-based threat group with a dual mission: ransomware and extortion operations (operating the UNDERGROUND ransomware) and targeted espionage against entities aligned with Ukraine's support network. The group previously attacked Ukrainian and European government targets with RomCom RAT and has demonstrated consistent interest in NATO operations, Ukrainian government communications, and defense contractor networks.
The July 2023 campaign used NATO summit-themed lure documents impersonating the Ukrainian World Congress, a tactically timed operation designed to reach officials and staff processing summit-related correspondence. This targeting precision, combined with zero-day capability, indicates a well-resourced actor with significant intelligence preparation.
Technical Mechanism: search-ms URI Handler Abuse
CVE-2023-36884 exploits the Windows search-ms: URI protocol handler, the same underlying primitive class used in Follina (CVE-2022-30190). The attack flow:
- A malicious Office document contains an embedded OLE object referencing a remote search-ms: URI pointing to attacker infrastructure.
- When the document is opened, Office processes the OLE reference and triggers the search-ms: URI handler.
- Windows Search initiates a query against the attacker-controlled remote server (WebDAV or SMB).
- The Windows Search results window renders attacker-controlled content, including malicious shortcuts (.lnk) or executables, in a trusted context.
- Minimal additional user interaction leads to payload execution.
Critically, this bypass worked even in configurations where Office documents from the internet are normally processed in Protected View. Documents extracted from ZIP attachments in some configurations did not receive Mark-of-the-Web (MOTW) tagging, allowing the attack to bypass the Protected View sandbox entirely.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Attack Chain
The Storm-0978 campaign delivery and exploitation sequence:
Spear-Phishing Email Delivery
Targeted email sent to government, military, and defense contractor recipients with NATO summit-themed lure; ZIP attachment contains malicious Word document impersonating Ukrainian World Congress.
Document Opened, Protected View Bypassed
Victim opens .docx file; ZIP extraction may strip MOTW, allowing document to open outside Protected View sandbox in certain configurations.
OLE Object Triggers search-ms URI
Embedded OLE object causes Office to invoke the Windows search-ms: protocol handler pointing to attacker-controlled WebDAV/SMB infrastructure.
Remote Content Retrieved and Rendered
Windows Search queries attacker's server and renders results containing malicious .lnk shortcuts in the Windows Search UI, positioned to appear as legitimate documents.
RomCom RAT Deployed
User interaction with the search result (or in some variants, automatic execution) delivers RomCom RAT, establishing encrypted C2 access for persistent espionage operations.
Microsoft's Unusual Response: Disclosure Without Patch
The July 2023 Patch Tuesday advisory disclosed CVE-2023-36884, attributed exploitation to Storm-0978, and provided a registry-based workaround, but no patch. This left a month-long window where defenders knew the vulnerability existed, knew the attacker, knew the workaround, but had no complete fix.
Microsoft's workaround required adding Office applications (Word, Excel, PowerPoint, OneNote, Outlook) to the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key, blocking those applications from following cross-protocol file navigation requests including search-ms: URIs. This was effective but required manual or GPO-based deployment across all endpoints.
The August 2023 Patch Tuesday delivered the complete patch. CISA issued Advisory AA23-187A urging immediate workaround deployment for federal agencies.
Indicators of Compromise
Known indicators from the Storm-0978 / CVE-2023-36884 campaign:
Subscribe to unlock Indicators of Compromise
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Remediation
Steps in order of priority:
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
CVE-2023-36884 illustrates the continuing abuse of Windows URI protocol handlers as an Office document exploitation primitive, a pattern that produced Follina in 2022, and this in 2023. The month between disclosure and patch was an extraordinarily dangerous window for government and defense targets who were actively hunted during a geopolitically significant event. ASR rules and the registry workaround are essential controls that should be deployed regardless of patch status, as they reduce the attack surface for this entire class of vulnerability.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
Is CVE-2023-36884 the same as Follina (CVE-2022-30190)?
They share the same class of attack, abusing Windows URI protocol handlers triggered from Office documents, but are distinct vulnerabilities. Follina used the ms-msdt: handler targeting the Microsoft Support Diagnostic Tool. CVE-2023-36884 uses the search-ms: handler targeting Windows Search. Different handler, different code path, different patch.
Why did Microsoft disclose CVE-2023-36884 without a patch?
Microsoft judged that public attribution of active Storm-0978 zero-day exploitation served the defender community even before a complete fix was ready, and provided a registry-based workaround to reduce risk in the interim. This approach is controversial but follows precedent when nation-state actors are actively exploiting a vulnerability at significant scale.
Does the CVE-2023-36884 fix require a separate update beyond Patch Tuesday?
No. The August 2023 Patch Tuesday cumulative updates for Windows include the CVE-2023-36884 fix. Organizations that apply monthly cumulative updates are protected. The July 2023 Patch Tuesday did not include the patch, only the advisory and workaround.
Who is Storm-0978 (RomCom) and what are their primary objectives?
Storm-0978, also tracked as RomCom, UNDERGROUND, and Tropical Scorpius, is a Russia-based threat actor with a dual mission. Their financial operation runs UNDERGROUND ransomware, targeting organizations for extortion. Their espionage operation conducts targeted intrusions against entities supporting Ukraine, including NATO member governments, defense contractors, and Ukrainian government agencies. They have demonstrated zero-day capability on multiple occasions, reflecting significant operational resources. Microsoft Threat Intelligence observed the CVE-2023-36884 campaign coinciding with the July 2023 NATO Vilnius summit, timing consistent with intelligence collection around a geopolitically significant event.
How does the Mark-of-the-Web bypass contribute to CVE-2023-36884 exploitation?
Mark-of-the-Web (MOTW) is a Windows security feature that marks files downloaded from the internet (Zone 3) so that Office and other applications process them in Protected View, a sandboxed mode that blocks active content. Office documents inside ZIP archives do not always inherit MOTW from the ZIP itself in all extraction scenarios, depending on how the user extracts them. Storm-0978 delivered malicious documents inside ZIP attachments specifically because certain extraction paths stripped the MOTW flag, allowing the contained .docx to open outside Protected View and trigger the search-ms: URI handler without the protected sandbox blocking it.
What is UNDERGROUND ransomware and how does Storm-0978 use it?
UNDERGROUND is a ransomware family operated by Storm-0978 for financially motivated extortion campaigns, distinct from their nation-state espionage operations. Storm-0978 uses separate operational tracks: the espionage track (CVE-2023-36884, RomCom RAT) targets government and defense entities for intelligence collection, while the ransomware track deploys UNDERGROUND against organizations for financial gain. This dual-mission model is increasingly common among sophisticated threat actors, especially those with Russian state adjacency, who use criminal operations for revenue while conducting parallel intelligence operations against strategic targets.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
