We have identified an ongoing spear-phishing campaign targeting a variety of entities with malicious RTF documents exploiting three different vulnerabilities: CVE-2017-8570, CVE-2017-11882 and CVE-2018-0802 and taking advantage of a misplaced trust binary, Microsoft’s msxsl, to run a JScript backdoor. The whole attack chain leverages on system’s signed components to remain under the radar as much as possible and it shares many …