Russian hackers are targeting a new Office 365 zero-day, so patch now or face attack

• Russian APT28 (Fancy Bear) exploited CVE-2026-21509 in Microsoft Office days after patch release
• Malicious DOC files sent to Ukrainian government agencies via themed phishing lures
• CISA added the flaw to its KEV catalog, urging immediate patching

Russian hackers have attacked Ukrainian government agencies using a high-severity Microsoft Office vulnerability mere days after a patch was released.

On January 26, 2026, Microsoft pushed an emergency fix to address CVE-2026-21509, a reliance on untrusted inputs in a security decision vulnerability, that allows unauthorized attackers to bypass Microsoft Office security features locally. The bug was given a severity score of 7.6/10 (high), and was said to have already been abused in the wild as a zero-day.

Just three days later, Ukraine’s Computer Emergency Response Team (CERT-UA) said it saw cybercriminals mailing dozens of government-related addresses malicious DOC files that were exploiting the flaw. Some were themed around the EU COREPER ...