CVE REFERENCE | CRITICAL VULNERABILITY
Active ThreatUpdated 11 min read

CVE-2023-36884: Windows Search RCE Used in NATO Summit Attacks

How Storm-0978 (RomCom) weaponized a zero-day Windows and Office vulnerability to target NATO summit attendees and Ukrainian government entities, disclosed without a patch

8.3
CVSS Score
0-day
Exploited before patch existed
~1 month
Gap between disclosure and patch
NATO
Primary target profile

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

CVE-2023-36884 is a remote code execution vulnerability affecting Windows Search and Microsoft Office, exploited as a zero-day by Storm-0978, a Russian threat actor also known as RomCom, UNDERGROUND, and Tropical Scorpius, during the NATO Vilnius summit in July 2023. The group sent spear-phishing emails with Office documents that exploited the flaw to deliver RomCom RAT to government officials and defense contractors across NATO member states. Unusually, Microsoft disclosed the vulnerability and attributed the attacker in the same advisory but released no patch until August 2023.

Storm-0978: Dual Financial and Espionage Motives

Storm-0978 is a Russia-based threat group with a dual mission: ransomware and extortion operations (operating the UNDERGROUND ransomware) and targeted espionage against entities aligned with Ukraine's support network. The group previously attacked Ukrainian and European government targets with RomCom RAT and has demonstrated consistent interest in NATO operations, Ukrainian government communications, and defense contractor networks.

The July 2023 campaign used NATO summit-themed lure documents impersonating the Ukrainian World Congress, a tactically timed operation designed to reach officials and staff processing summit-related correspondence. This targeting precision, combined with zero-day capability, indicates a well-resourced actor with significant intelligence preparation.

Technical Mechanism: search-ms URI Handler Abuse

CVE-2023-36884 exploits the Windows search-ms: URI protocol handler, the same underlying primitive class used in Follina (CVE-2022-30190). The attack flow:

  1. A malicious Office document contains an embedded OLE object referencing a remote search-ms: URI pointing to attacker infrastructure.
  2. When the document is opened, Office processes the OLE reference and triggers the search-ms: URI handler.
  3. Windows Search initiates a query against the attacker-controlled remote server (WebDAV or SMB).
  4. The Windows Search results window renders attacker-controlled content, including malicious shortcuts (.lnk) or executables, in a trusted context.
  5. Minimal additional user interaction leads to payload execution.

Critically, this bypass worked even in configurations where Office documents from the internet are normally processed in Protected View. Documents extracted from ZIP attachments in some configurations did not receive Mark-of-the-Web (MOTW) tagging, allowing the attack to bypass the Protected View sandbox entirely.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Attack Chain

The Storm-0978 campaign delivery and exploitation sequence:

1

Spear-Phishing Email Delivery

Targeted email sent to government, military, and defense contractor recipients with NATO summit-themed lure; ZIP attachment contains malicious Word document impersonating Ukrainian World Congress.

2

Document Opened, Protected View Bypassed

Victim opens .docx file; ZIP extraction may strip MOTW, allowing document to open outside Protected View sandbox in certain configurations.

3

OLE Object Triggers search-ms URI

Embedded OLE object causes Office to invoke the Windows search-ms: protocol handler pointing to attacker-controlled WebDAV/SMB infrastructure.

4

Remote Content Retrieved and Rendered

Windows Search queries attacker's server and renders results containing malicious .lnk shortcuts in the Windows Search UI, positioned to appear as legitimate documents.

5

RomCom RAT Deployed

User interaction with the search result (or in some variants, automatic execution) delivers RomCom RAT, establishing encrypted C2 access for persistent espionage operations.

Microsoft's Unusual Response: Disclosure Without Patch

The July 2023 Patch Tuesday advisory disclosed CVE-2023-36884, attributed exploitation to Storm-0978, and provided a registry-based workaround, but no patch. This left a month-long window where defenders knew the vulnerability existed, knew the attacker, knew the workaround, but had no complete fix.

Microsoft's workaround required adding Office applications (Word, Excel, PowerPoint, OneNote, Outlook) to the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key, blocking those applications from following cross-protocol file navigation requests including search-ms: URIs. This was effective but required manual or GPO-based deployment across all endpoints.

The August 2023 Patch Tuesday delivered the complete patch. CISA issued Advisory AA23-187A urging immediate workaround deployment for federal agencies.

Indicators of Compromise

Known indicators from the Storm-0978 / CVE-2023-36884 campaign:

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Remediation

Steps in order of priority:

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

CVE-2023-36884 illustrates the continuing abuse of Windows URI protocol handlers as an Office document exploitation primitive, a pattern that produced Follina in 2022, and this in 2023. The month between disclosure and patch was an extraordinarily dangerous window for government and defense targets who were actively hunted during a geopolitically significant event. ASR rules and the registry workaround are essential controls that should be deployed regardless of patch status, as they reduce the attack surface for this entire class of vulnerability.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

Is CVE-2023-36884 the same as Follina (CVE-2022-30190)?

They share the same class of attack, abusing Windows URI protocol handlers triggered from Office documents, but are distinct vulnerabilities. Follina used the ms-msdt: handler targeting the Microsoft Support Diagnostic Tool. CVE-2023-36884 uses the search-ms: handler targeting Windows Search. Different handler, different code path, different patch.

Why did Microsoft disclose CVE-2023-36884 without a patch?

Microsoft judged that public attribution of active Storm-0978 zero-day exploitation served the defender community even before a complete fix was ready, and provided a registry-based workaround to reduce risk in the interim. This approach is controversial but follows precedent when nation-state actors are actively exploiting a vulnerability at significant scale.

Does the CVE-2023-36884 fix require a separate update beyond Patch Tuesday?

No. The August 2023 Patch Tuesday cumulative updates for Windows include the CVE-2023-36884 fix. Organizations that apply monthly cumulative updates are protected. The July 2023 Patch Tuesday did not include the patch, only the advisory and workaround.

Who is Storm-0978 (RomCom) and what are their primary objectives?

Storm-0978, also tracked as RomCom, UNDERGROUND, and Tropical Scorpius, is a Russia-based threat actor with a dual mission. Their financial operation runs UNDERGROUND ransomware, targeting organizations for extortion. Their espionage operation conducts targeted intrusions against entities supporting Ukraine, including NATO member governments, defense contractors, and Ukrainian government agencies. They have demonstrated zero-day capability on multiple occasions, reflecting significant operational resources. Microsoft Threat Intelligence observed the CVE-2023-36884 campaign coinciding with the July 2023 NATO Vilnius summit, timing consistent with intelligence collection around a geopolitically significant event.

How does the Mark-of-the-Web bypass contribute to CVE-2023-36884 exploitation?

Mark-of-the-Web (MOTW) is a Windows security feature that marks files downloaded from the internet (Zone 3) so that Office and other applications process them in Protected View, a sandboxed mode that blocks active content. Office documents inside ZIP archives do not always inherit MOTW from the ZIP itself in all extraction scenarios, depending on how the user extracts them. Storm-0978 delivered malicious documents inside ZIP attachments specifically because certain extraction paths stripped the MOTW flag, allowing the contained .docx to open outside Protected View and trigger the search-ms: URI handler without the protected sandbox blocking it.

What is UNDERGROUND ransomware and how does Storm-0978 use it?

UNDERGROUND is a ransomware family operated by Storm-0978 for financially motivated extortion campaigns, distinct from their nation-state espionage operations. Storm-0978 uses separate operational tracks: the espionage track (CVE-2023-36884, RomCom RAT) targets government and defense entities for intelligence collection, while the ransomware track deploys UNDERGROUND against organizations for financial gain. This dual-mission model is increasingly common among sophisticated threat actors, especially those with Russian state adjacency, who use criminal operations for revenue while conducting parallel intelligence operations against strategic targets.

Sources & references

  1. Microsoft Threat Intelligence, Storm-0978 Attacks
  2. Microsoft Security Update Guide, CVE-2023-36884
  3. CISA Advisory AA23-187A

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.