Think you have a false positive on this rule?

Sid 1-46602


FILE-OFFICE Microsoft Outlook use-after-free vulnerability attempt


This event is generated when an attempt to exploit a use after free vulnerability in Outlook 2013 or 2016 is detected


Attempted Administrator Privilege Gain


CVSS base score 7.8

CVSS impact score 5.9

CVSS exploitability score 1.8

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Detailed information

Successful exploitation of this vulnerability could result in Remote Code Execution. CVE-2018-8161: A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory, aka "Microsoft Office Remote Code Execution Vulnerability." This affects Microsoft Word, Word, Microsoft Office, Microsoft SharePoint. This CVE ID is unique from CVE-2018-8157, CVE-2018-8158.

Affected systems

  • microsoft office 2010
  • microsoft office 2013
  • microsoft office 2016
  • microsoft officewebapps 2010
  • microsoft officewebapps 2013
  • microsoft sharepoint_server 2010
  • microsoft sharepoint_server 2013
  • microsoft sharepoint_server 2016
  • microsoft word 2010
  • microsoft word 2013
  • microsoft word 2016

Ease of attack


False positives


False negatives


Corrective action

Upgrade to the fixed version of Microsoft Outlook


  • Cisco's Talos Intelligence Group

Additional References