CVE-2021-40444 MSHTML

I would also like to know if there is a query we could run for this?

I am going to work on my own but figured someone more savvy may beat me to it.

Something where folderpath is mshtml.dll and initiating process maybe winword.exe

Robert - Labs is working on this actively - you can follow twitter updates here: https://twitter.com/SophosLabs/status/1435368778200666112?s=20

Here is also some guidance from Paul Ducklin: https://nakedsecurity.sophos.com/2021/09/08/windows-zero-day-mshtml-attack-how-not-to-get-booby-trapped/

For InterceptX, SophosLabs has seen this being used in the wild, and have already published protection for components including Troj/DocDl-AEEP, and for payloads including Troj/Agent-BHRO and Troj/Agent-BHPO.

We have published additional generic detections for this attack as well, including Exp/2140444-A for the initial DOCX attacks, Troj/JSExp-W for the remote HTML that the documents access, and Troj/Cabinf-A for the CAB.

@Alex - Checking on a query for you and will post it here for everyone.

Awesome.

Thank you for the information Brian!

Here is a pastebin of IoC's you could add to blocked items in Sophos Central https://pastebin.com/jpu4QF9i as an extra precaution

Nice!  Thanks Alex.

Here is the link to 2 queries:
https://community.sophos.com/intercept-x-endpoint/i/threat-hunting/query-if-cve-2021-40444-mshtml-mitigations-are-applied

https://community.sophos.com/intercept-x-endpoint/i/threat-hunting/query-for-cve-2021-40444-mshtml-process-event