Vulnerable software includes Microsoft's Edge and Internet Explorer browsers, as well as its Office, Exchange and Outlook software.
"A malicious container could allow an attacker to execute arbitrary code on any system installing (or "pulling") the container", explained Trustwave threat intelligence manager, Karl Sigler.
At the time of this writing, Microsoft hasn't responded to the growing thread of reports.
Kasperksy Lab has provided a fairly detailed analysis of how the exploit functions. Victims that opened the Office document would silently be infected via a malicious webpage opened in the background.
The VBScript code triggers a use after free - a type of memory corruption - vulnerability to run shellcode.
Security experts recommend all Windows users - individuals and businesses alike - patch this flaw as quickly as possible. Also that the complete session will soon be posted to Microsoft Build website.
Microsoft said attackers could exploit this bug by hosting an exploit in website ads or on a website, conning people into viewing malicious content within the Internet Explorer browser. Taken together, this is a rather vast attack surface for enterprise users. The flaw was first discovered in the Windows VBScript engine by researchers from Qihoo 360 Core Security.
Part of Microsoft's May Patch Tuesday CVE roundup also includes two official "public disclosures". Neither vulnerability was exploited in the wild. In both cases attackers would need to have logged on or gained locally authenticated access to the system to exploit, according to Goettl.
Fluent Design System updates have also been deployed. "CVE-2018-8120 is an elevation of privilege vulnerability affecting Windows 7, Server 2008, and Server 2008 R2", said Wiseman.
If you are affected, please be assured that Microsoft is working on a solution which will be "provided in a near future Windows Update". A failure of the Win32k component allows for arbitrary code to be executed in kernel mode.
On Tuesday, Microsoft issued patches for two vulnerabilities presently being leveraged by hackers.
Also, Microsoft has fixed a spoofing vulnerability in its Azure IoT Device Provisioning AMQP Transport library.
"An attacker who successfully exploited the vulnerability could gain the same user rights as the current user".