* [Blog](https://www2.paloaltonetworks.com/blog)
* [Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/)
* Playbook of the Week: Mic...

# Playbook of the Week: Microsoft Office and Windows HTML RCE CVE-2023-36884 Rapid Response

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-microsoft-office-and-windows-html-rce-cve-2023-36884-rapid-response%2F)  
[](https://twitter.com/share?text=Playbook+of+the+Week%3A+Microsoft+Office+and+Windows+HTML+RCE+CVE-2023-36884+Rapid+Response&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-microsoft-office-and-windows-html-rce-cve-2023-36884-rapid-response%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-microsoft-office-and-windows-html-rce-cve-2023-36884-rapid-response%2F&title=Playbook+of+the+Week%3A+Microsoft+Office+and+Windows+HTML+RCE+CVE-2023-36884+Rapid+Response&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-microsoft-office-and-windows-html-rce-cve-2023-36884-rapid-response/&ts=markdown)  
\[\](mailto:?subject=Playbook of the Week: Microsoft Office and Windows HTML RCE CVE-2023-36884 Rapid Response)  
Link copied  
By [Jane Goh](https://www.paloaltonetworks.com/blog/author/jane-goh/?ts=markdown "Posts by Jane Goh")  
Jul 20, 2023  
3 minutes  
[Automation](https://www.paloaltonetworks.com/blog/tag/automation/?ts=markdown)  
[Cortex XSOAR](https://www.paloaltonetworks.com/blog/tag/cortex-xsoar/?ts=markdown)  
[CVE 2023-36884](https://www.paloaltonetworks.com/blog/tag/cve-2023-36884/?ts=markdown)  
[Microsoft zero-day](https://www.paloaltonetworks.com/blog/tag/microsoft-zero-day/?ts=markdown)  
[Phishing](https://www.paloaltonetworks.com/blog/tag/phishing/?ts=markdown)  
[security orchestration](https://www.paloaltonetworks.com/blog/tag/security-orchestration/?ts=markdown)  
[SOAR](https://www.paloaltonetworks.com/blog/tag/soar-2/?ts=markdown)

Patch Tuesday - not the favorite day of the month for your security team as zero-day threat alerts or newly discovered vulnerabilities invariably lead to a disrupted work schedule that involves multiple teams and a host of time-consuming manual tasks.

The latest disturbance comes from a zero-day remote code execution vulnerability announced, but not patched, along with the new Microsoft Patch Tuesday release. [CVE-2023-36884](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884) affects Microsoft Office and Windows and could be exploited using specially crafted documents, but exploitation requires the user to open the file.

According to Microsoft, the vulnerability has been exploited by a threat group targeting defense and government entities in Europe and North America. The initial access attempts have predominantly used phishing campaigns in conjunction with this exploit to target users with specially crafted Microsoft documents on the theme of diplomatic operations.

For more details on the zero-day vulnerability and mitigation, please refer to the Unit 42 [threat brief](https://unit42.paloaltonetworks.com/cve-2023-36884-rce/) that will be updated as more information on the vulnerability and mitigations become available.

To help your team shorten mitigation time, Cortex XSOAR maintains a library of [rapid response content packs](https://cortex.marketplace.pan.dev/marketplace/details/MajorBreachesInvestigationandResponse/). The response pack for CVE-2023-36884 helps you automate the following tasks to speed up response and mitigation actions:

* Automatically collect and update IOCs identified by Unit 42.
* Perform advanced threat hunting queries across Cortex XDR and your SIEM for behavior identified as part of exploitation patterns.
  * These behaviors might include suspicious file drops, suspicious new instances of Microsoft Office Component Object Model (COM) objects and changes to the PowerShell execution policy.
* Microsoft mitigation measures such as restricting cross protocol file navigation.

![CVE-2023-36684 Response Playbook](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/07/word-image-299030-1.png)
CVE-2023-36684 Response Playbook

To help protect your organization if you end up the unfortunate recipient of these phishing campaigns, you might want to check out our [Phishing automation pack](https://cortex.marketplace.pan.dev/marketplace/details/Phishing/) which helps you automate a huge part of your phishing incident response workflows. With this pack, you can choose to fully automate your phishing response or strategically eliminate the more repetitive, manual tasks:

* Retrieves emails from user inboxes or ingests them using mail listeners.
* Creates a phishing incident within Cortex XSOAR associated with the email.
* Extracts and enriches all indicators from email attachments.
* Analyzes files and provides reputation using your sandbox and threat intelligence integrations.
* Generates a screenshot of the email and embedded links, and calculates reputation for all indicators involved.
* Runs checks for SSL certificates of URLs, email address breach involvement, domain-squatting and email authenticity using SPF, DKIM and DMARC checks.
* Identifies similar phishing incidents belonging to the same campaign, providing visibility and manual or automatic actions to respond to such incidents.
* Calculates severity for the incident based on the provided initial severity, indicator reputations, email authenticity check, and critical assets if any are involved.
* Remediates the incident by blocking malicious indicators, searching for and deleting malicious emails upon analyst approval.
* Engages with the end user regarding the incident such as notifying them of receipt of email and providing further instructions if an email is found to be malicious.

As part of this pack, you will also get out-of-the-box phishing incident views, a full layout and automation scripts. All of these are easily customizable to suit the needs of your organization.

**Learn More**

These two packs are just a couple of the more than 900 automation packs and integrations we offer our users out of the box. Do check out the [Cortex Marketplace](https://cortex.marketplace.pan.dev/marketplace/) to discover more automation use cases!

*** ** * ** ***

## Related Blogs

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: Speed Up Phishing Response with the Cortex XSOAR Deployment Wizard](https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-speed-up-phishing-response-with-the-cortex-xsoar-deployment-wizard/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook Of The Week - New Features for Better Response to Phishing Campaigns](https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-new-features-for-better-response-to-phishing-campaigns/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown)

[#### Cortex XSOAR Marketplace's Top Contributors for April - June 2023!](https://www2.paloaltonetworks.com/blog/security-operations/cortex-xsoar-marketplaces-top-contributors-for-april-june-2023/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the week: Streamlining SOC Communications](https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-streamlining-soc-communications/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: Automating SecOps Ticketing](https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automating-secops-ticketing/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: Suspicious SSO? Check It Out with XSOAR](https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-suspicious-sso-check-it-out-with-xsoar/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language