Researchers have discovered an unpatched flaw in Microsoft Office 2016 and older versions that could allow an attacker to embed malicious code in a document file, tricking the victim into running malware on their machine. The flaw abuses the “Online video” function in Word documents, which allows users to insert an online video with a link to YouTube. When users add online video links to a Word document, the online video feature will automatically generate an HTML embed script. The script is executed when the thumbnail in the document is clicked by the user. Because the Word doc files are zip packages of its configuration and media files, they can be easily opened and edited. Researchers claim, “The configuration file called ‘document.xml,’ which is a default XML file used by Word and contains the generated embedded-video code, can be edited to replace the current video iFrame code with any HTML or JavaScript code that would run in the background.” The flaw was made public three months after Microsoft “refused” to recognize it.