
One email can be enough
Microsoft has released urgent fixes for three critical security flaws in Word and Outlook, tracked as CVE-2026-45456, CVE-2026-45458 and CVE-2026-47635 and rated 8.4 out of 10 in severity. The problem sits in the part of Word that draws documents on screen, and classic Outlook uses that same engine to display email. That means a booby-trapped message can run an attacker’s code the moment it shows up in your preview pane. Nobody has to open an attachment or click a link.
If that happens, the attacker gets the same access as the person reading the email: their files, their mailbox, and whatever business systems they can reach. From there it is a short step to stolen invoices, ransomware or a compromised email account quietly sending scams to your customers. For a small business, one weaponised email to the accounts inbox is a very realistic attack.
What to do this week
- Update Microsoft Office on every computer now. Patching is the only real fix, and the updates are already available. Affected versions include Office LTSC 2024 and other supported Word and Outlook builds; some Mac versions of Office will receive their fixes slightly later, so check those again in a few days.
- Treat unexpected emails with extra care. Until every machine is patched, consider turning off Outlook’s preview pane, and keep Protected View switched on for files that arrive from the internet.
- If your IT is managed, ask one question: are Office updates applied automatically across all staff machines, including the laptop that rarely comes into the office? Unpatched stragglers are exactly what attackers count on.
Microsoft also recommends extra hardening for business environments, such as rules that stop Office programs from launching other software, which makes attacks like this much harder to pull off.
Worried this affects your business? Get a free 15-minute IT check – call Trends IT on 0485 011 911 or visit /contact/.
