360 Core Security observed an APT group exploiting a zero-day vulnerability in IE, dubbed double play The flaw is still unfixed and Microsoft hasnt yet released a patch. The vulnerability may affect the latest versions of Internet Explorer and applications that are with IE kernel. Microsoft confirmed the existence of the flaw and Microsoft confirmed it to Microsoft. The attack chain was delivered an Office document with a malicious web page embedded, once the user opens the document, the exploit code and malicious payloads are downloaded and executed from a remote server.”]
Source: https://securityaffairs.co/wordpress/71582/hacking/double-pay-zero-day.html