We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Exploit:Win32/Tudimons.A
Aliases: No associated aliases
Summary
Exploit:Win32/Tudimons.A is associated with CVE‑2026‑21509, a high‑severity vulnerability in Microsoft Office that relies on untrusted inputs in security decisions. This malware is designed to bypass local protections, specifically the OLE mitigations in Microsoft 365 and Office that normally block unsafe COM/OLE controls. For the attack to succeed, the malware requires user interaction: a threat actor must deliver a crafted Office document and convince the recipient to open it and choose to 'Enable Editing' to exit the Protected View mode.
- Immediately disconnect the affected device from all networks, including Ethernet, Wi-Fi, and Bluetooth.
- Run a full system scan with updated Microsoft Defender and follow all remediation prompts.
- For Office 2021 and later versions, completely close and restart all Office applications to activate the service side protection.
- For Office 2016 and 2019, install the available security update dated January 26, 2026.
- As an interim measure, or if patching is delayed, apply the registry kill bit mitigation mentioned in the Technical Information section of this article, using the exact path and value specified.
- Investigate for any signs of further post exploitation activity and restore data from clean backups if necessary.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
