Microsoft revealed the bug, known as CVE-2023-23397, on March 14 and issued a patch to address it.

As NBC News reports, Mandiant said the GRU, Russia’s military intelligence agency, had been exploiting the previously unknown flaw for nearly a year. According to a spokesperson for the Google-owned cybersecurity company, the GRU used the bug to hack into government systems in Poland, Ukraine, Romania and Turkey.

Mandian’s cyber intelligence boss, John Holtquist, urged security pros to patch their systems fast now that the flaw has been made public. He told NBC News the bug was “gonna get used by everyone…. Spies and criminals.” A hacker familiar with the vulnerability said that it could craft an email to a target and gain access to computer networks without any interaction by the victim.

As Dark Reading reports, cybersecurity researchers are sounding the alarm about the flaw’s potentially broad impact. “The range of possible attacks could go from data exfiltration to potentially installing malware, depending on the permissions of the victim,” Nick Ascoli, founder and CEO of cybersecurity firm Foretrace, told the news site.

Bud Broomhead, CEO at Viakoo, another cybersecurity business, added that identity management and trust of internal email communications could be among the most significant areas affected by the bug.

As Cybersecurity Dive reports, researchers expect state-linked and financially motivated threat actors alike to exploit the Outlook vulnerability.

The Hacker News notes that Microsoft attributed the discovery of the flaw to the Computer Emergency Response Team of Ukraine. Microsoft said it had learned about “limited targeted attacks" by Russia-based hackers against government, transportation, energy, and military targets in Europe.