CVE-2017-0199: life of an exploit
released on 2017-06-20 @ 02:17:58 PM
The normal lifecycle of an Office exploit starts with the initial use in targeted
attacks. Then, at some point, the information leaks out and cybercrime groups
start using it more widely.
Offensive security researchers then start experimenting with AV evasion, and the
exploit finally ends up in underground exploit builders.
Normally this cycle can take a few months. In the case of the CVE-2017-0199
Word exploit, we have observed this in a much more accelerated time scale.