In its security advisory, Microsoft said the "critical"-rated bug could allow an attacker to take control of an affected system, such as install programs and creating new accounts with full user rights.
Unlike some Office-related malware, attackers don't need to use macros. Instead, the vulnerability, which relates to the Windows Object Linking and Embedding (OLE) function, is triggered when a victim opens a trick Word document, which downloads a malicious HTML application from a server, disguised to look like a Rich Text document file as a decoy. The HTML application meanwhile downloads and runs a malicious script that can be used to stealthily install malware.
The vulnerability has been known about since early January, when security researchers observed attackers exploiting the flaw.
Microsoft said the bug affects all supported versions of Office and some versions of Windows.
Security firm Proofpoint also observed the exploit being used in a large-scale email campaign to distribute the Dridex malware, usually targeting banks and financial institutions, to several unnamed organizations primarily in Australia and elsewhere.
If exploited, the malware installs Dridex and connects the machine to a botnet, which the researchers dubbed "Botnet 7500" -- though, they did not specify what activities the botnet carries out.