This is just a collection of my thoughts and PoCs that I've tried. I'll update this as I learn more.
There is some speculation that it could work on a Mac, however I don't believe that to be the case. All the PoCs I've seen so far leverage
msdt to get code execution, which doesn't exist on a Mac. That being said, in theory, you could call on a Mac-based LoLBin. This is yet to be seen (also, targeting Windows would have a much better rate-of-return.)
Microsoft Word is executing the code via msdt (a support tool) even if macros are disabled.
I tried this PoC, but Word threw an error,
Word found unreadable content.
Word version 2205, build 15225.20204. It is definitely possible that I screwed it up.
I did not try the
.rtf PoC because I believe it
relies on the Preview Pane, and you should have the Preview Pane disabled anyway (I do in my environment.)
Tried this PoC, but Defender caught it as
TrojanDownloader:O97M/Donoff.SA!Gen on the
It looks like this detection was updated the morning of May 30th: https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.367.703.0
Apparently, the .rtf method described in the the 1st PoC I linked still works: