Why are RTF files used for malware delivery?

RTF files are commonly trusted document formats, making them effective for bypassing security measures and deceiving users into opening them, thereby facilitating malware delivery.

Understanding the 2026 RTF Malware Delivery Exploit

A deep dive into how attackers leveraged RTF files to deliver malware via embedded ZIP files in 2026, and strategies for defense.

Published: March 2, 2026

Share this on:

Executive Summary

In early 2026, cybersecurity researchers identified a sophisticated malware delivery method exploiting Rich Text Format (RTF) files. Attackers embedded malicious ZIP files within RTF documents, which, when opened, executed embedded scripts to download and install malware on the victim's system. This technique bypassed traditional security measures by leveraging the inherent trust in RTF files and the complexity of detecting embedded compressed files. The campaign targeted various sectors, leading to data breaches and operational disruptions.

This incident underscores the evolving tactics of cyber adversaries who continuously adapt to circumvent security defenses. The use of RTF files for malware delivery highlights the need for organizations to enhance their email filtering, user awareness training, and endpoint detection capabilities to mitigate such threats.

Why This Matters Now

The exploitation of RTF files for malware delivery represents a significant shift in attack vectors, emphasizing the urgency for organizations to reassess and strengthen their cybersecurity posture against increasingly sophisticated threats.

Attack Path Analysis

An attacker delivered a malicious RTF document via phishing email, exploiting vulnerabilities to execute a payload that established command and control, facilitated lateral movement, and exfiltrated sensitive data, culminating in significant operational disruption.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Mediuminferred

Lateral Movement

Mediuminferred

Command & Control

Mediuminferred

Exfiltration

Mediuminferred

Impact

Mediuminferred

Initial Compromise

Description

The attacker sent a phishing email containing a malicious RTF document with embedded OLE objects that exploited vulnerabilities upon opening.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2023-21716
CVSS 9.8
A heap corruption vulnerability in Microsoft Word's RTF parser allows remote code execution when a user opens a specially crafted RTF document.
Affected Products:
Microsoft Office – 2007, 2010, 2013, 2016, 365
Exploit Status:
exploited in the wild
References:
https://www.netskope.com/blog/cve-2023-21716-microsoft-word-rce-vulnerability https://www.deepwatch.com/labs/poc-exploit-released-for-critical-windows-word-vulnerability-cve-2023-21716/

MITRE ATT&CK® Techniques

Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.

Execution

T1204.002

Malicious File

Defense Evasion

T1027.009

Obfuscated Files or Information: Embedded Payloads

Defense Evasion

T1036.007

Masquerading: Double File Extension

Collection

T1560.002

Archive Collected Data: Archive via Library

Defense Evasion

T1221

Template Injection

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities

Control ID: 6.2

The incident exploited vulnerabilities in document handling, indicating a failure to protect systems from known threats.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The attack highlights deficiencies in the organization's cybersecurity policy regarding the handling of embedded files in documents.

DORA – ICT Risk Management Framework

Control ID: Article 5

The breach underscores inadequate ICT risk management practices, particularly in detecting and mitigating risks associated with embedded malicious content.

CISA ZTMM 2.0 – Data Protection

Control ID: 3.1

The incident reveals gaps in data protection measures, as malicious payloads were successfully embedded and executed within document files.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The attack indicates a need for improved risk management measures to address threats posed by obfuscated and embedded malicious content in documents.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Financial Services

RTF-based malware delivery targeting financial institutions exploits document workflows, threatening encrypted traffic security and requiring enhanced egress filtering for data protection.

Health Care / Life Sciences

ZIP-embedded RTF attacks compromise HIPAA-regulated environments through malicious document processing, necessitating strengthened intrusion prevention and zero trust segmentation capabilities.

Government Administration

OLE object exploitation in government RTF documents enables lateral movement and command control, demanding robust threat detection and multicloud visibility solutions.

Legal Services

Document-centric law firms face elevated malware delivery risks through RTF files containing embedded ZIP containers, requiring comprehensive egress security enforcement.

Sources

Quick Howto: ZIP Files Inside RTF, (Mon, Mar 2nd)https://isc.sans.edu/diary/rss/32696
Verified

CVE-2023-21716: Microsoft Word RCE Vulnerabilityhttps://www.netskope.com/blog/cve-2023-21716-microsoft-word-rce-vulnerability

Verified

PoC Exploit Released for Critical Windows Word Vulnerability CVE-2023-21716https://www.deepwatch.com/labs/poc-exploit-released-for-critical-windows-word-vulnerability-cve-2023-21716/

Verified

Frequently Asked Questions

Organizations should implement advanced email filtering, conduct regular user training on phishing awareness, and deploy endpoint detection solutions to identify and block malicious RTF files.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it would likely limit the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: While Aviatrix CNSF primarily focuses on network-level controls, its integration with identity-aware policies could potentially limit the attacker's ability to exploit vulnerabilities by enforcing strict access controls.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: Aviatrix Zero Trust Segmentation would likely limit the attacker's ability to escalate privileges by enforcing strict access controls and segmenting workloads.

Lateral Movement

Control: East-West Traffic Security

Mitigation: Aviatrix East-West Traffic Security would likely limit the attacker's lateral movement by enforcing strict segmentation and monitoring east-west traffic.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: Aviatrix Multicloud Visibility & Control would likely limit the attacker's ability to establish command and control channels by providing real-time monitoring and control over network traffic.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: Aviatrix Egress Security & Policy Enforcement would likely limit the attacker's ability to exfiltrate data by enforcing strict egress policies and monitoring outbound traffic.

Impact (Mitigations)

While Aviatrix CNSF cannot entirely prevent operational disruption, its enforcement of strict segmentation and controlled egress policies would likely limit the scope of the attack, thereby reducing the overall impact.

Impact at a Glance

Affected Business Functions

Document Management
Email Communications
File Sharing

Operational Disruption

Estimated downtime: 3 days

Financial Impact

Estimated loss: $50,000

Data Exposure

Potential exposure of sensitive corporate documents and communications.

Recommended Actions

• Implement Inline IPS (Suricata) to detect and block known exploit patterns and malicious payloads.
• Deploy Cloud Firewall (ACF) to enforce egress filtering and control outbound traffic.
• Utilize Zero Trust Segmentation to limit lateral movement within the network.
• Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities.
• Conduct regular user training to recognize and report phishing attempts.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Understanding the 2026 RTF Malware Delivery Exploit

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2023-21716

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Malicious File

Obfuscated Files or Information: Embedded Payloads

Masquerading: Double File Extension

Archive Collected Data: Archive via Library

Template Injection

Potential Compliance Exposure

PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Data Protection

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Financial Services

Health Care / Life Sciences

Government Administration

Legal Services

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads