The most recent campaign spotted by Sophos Labs bypasses the protection of the patch through a new Office exploit.
Attackers are weaponizing it to deliver the Formbook malware.
Researchers believe that this new attack is possible because the patch was too narrowly focused, it did not address the initial issue entirely.
In the recent attack, attackers send the maldoc in a specially crafted RAR archive.
The modified exploit (CAB-less 40444) existed for 36 hours between October 24 and 25, during which spam emails laden with malformed RAR archive files were sent to the victims.
The RAR file is loaded with a script that is written in Windows Script Host along with a Word Document.
Although Microsoft had fixed the security issue as part of its September 2021 Patch Tuesday updates, the flaw has still been exploited in numerous attacks ever since details regarding the flaw became public.
In the same month, Microsoft discovered a targeted phishing campaign abusing the vulnerability to deploy Cobalt Strike Beacons on targeted Windows systems using Office documents.
In November, SafeBreach Labs provided details on Iranian threat actor operation aimed at Farsi-speaking victims. It was using a new PowerShell-based information stealer collecting information.
While security patches do help plug known security loopholes, this is one of those exceptional cases. Organizations are recommended to regularly educate their employees and teach them to identify phishing emails. People should be suspicious of email documents coming within an archive or unknown formats.